Abstract
Password managers are critical pieces of software relied upon by users to securely store valuable and sensitive information, from online banking passwords and login credentials to passport- and social security numbers. Surprisingly, there has been very little academic research on the security these applications provide.
This paper presents the first rigorous analysis of storage formats used by popular password managers. We define two realistic security models, designed to represent the capabilities of real-world adversaries. We then show how specific vulnerabilities in our models allow an adversary to implement practical attacks. Our analysis shows that most password manager database formats are broken even against weak adversaries.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Trusteer: Reused Login Credentials, http://www.trusteer.com/sites/default/files/cross-logins-advisory.pdf
Herzberg, A.: Why Johnny can’t Surf (Safely)? Attacks and Defenses for Web Users. Computers & Security 28(1-2) (2009)
Dhamija, R., Tygar, J., Hearst, M.: Why Phishing Works. In: SIGCHI Conference on Human Factors in Computing Systems. ACM, New York (2006)
RomanLab Co. Ltd.: USB password manager: When your password database is right where you need it, http://www.anypassword.com/password-database-in-usb-password-manager.html
Siber Systems, Inc.: Roboform2go for USB drives, http://www.roboform.com/platforms/usb
Portable Apps: Keepass password safe portable, http://portableapps.com/apps/utilities/keepass_portable
1Password: Automatic Syncing Using Dropbox, http://help.agilebits.com/1Password3/cloud_syncing_with_dropbox.html
KeePassDroid: Dropbox and KeePassDroid, http://blog.keepassdroid.com/2010/06/dropbox-and-keepassdroid.html
AgileBits, Inc.: 1password, https://agilebits.com/onepassword
Vanhove, M.: Kypass, http://itunes.apple.com/us/app/kypass/id425680960?mt=8
Pellin, B.: Keepassdroid, http://www.keepassdroid.com
Google: Get a fast, free web browser, https://www.google.com/chrome/
Mozilla: Firefox, http://www.mozilla.org/
Microsoft: Internet Explorer 9, http://windows.microsoft.com/en-us/internet-explorer/products/ie/home
KeePass – A Free and Open-source Password Manager, http://keepass.info/
Muiznieks, R.: Passdrop, http://itunes.apple.com/us/app/passdrop/id431185109?mt=8
PINs, Secure Passwords Manager, http://www.mirekw.com/winfreeware/pins.html
Password Safe – Simple & Secure Password Management, http://passwordsafe.sourceforge.net/
Pilhofer, F.: Password Gorilla, http://www.fpx.de/fp/Software/Gorilla/
Siber Systems, Inc.: RoboForm, http://www.roboform.com/
Gaw, S., Felten, E.: Password Management Strategies for Online Accounts. In: SOUPS 2006. ACM Press, Pittsburgh (2006)
Katz, J., Yung, M.: Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 284–299. Springer, Heidelberg (2001)
Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. J. Cryptology 21(4) (2008)
Google: Protect your synced data, http://support.google.com/chrome/bin/answer.py?hl=en&answer=1181035
Mozilla: Firefox Sync for Mobile, http://www.mozilla.org/en-US/mobile/sync/
Frazier, M.: Sync Firefox from the Command Line, http://www.linuxjournal.com/content/sync-firefox-command-line
Microsoft Dev Center: CryptProtectData function, http://msdn.microsoft.com/en-us/library/windows/desktop/aa380261v=vs.85.aspx
AgileBits, Inc.: 1password agile keychain design, http://help.agilebits.com/1Password3/agile_keychain_design.html
GNU zip: The GZIP homepage, http://www.gzip.org/
Bernstein, D.J.: The Salsa20 Family of Stream Ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008)
Gasti, P., Rasmussen, K.: On The Security of Password Manager Database Formats. Technical report, UCI (2012), Available from Cryptology ePrint Archive, http://eprint.iacr.org
Damgaard, I., Nielsen, J.: Expanding Pseudorandom Functions; or: From Known-Plaintext Security to Chosen-Plaintext Security. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 449–464. Springer, Heidelberg (2002)
Password Safe V3 Database Format, http://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pwsafe/docs/
Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C.: Twofish: A 128-Bit Block Cipher. Current 21(1) (1998)
Ferguson, N.: AES-CBC + Elephant diffuser A Disk Encryption Algorithm for Windows Vista. Technical report, Microsoft Research (2006)
Luo, H., Henry, P.: A Common Password Method for Protection of Multiple Accounts. In: International Symposium on Personal, Indoor and Mobile Radio Communication (2003)
Blasko, G., Narayanaswami, C., Raghunath, M.: A Wristwatch-Computer Based Password-Vault. Technical report, IBM Research Division (2005)
Englert, B., Shah, P.: On the Design and Implementation of a secure Online Password Vault. In: ICHIT 2009. ACM Press (2009)
Bonneau, J., Preibusch, S.: The Password Thicket: Technical and Market Failures in Human Authentication on the Web. Information Security 8(1) (2010)
Belenko, A., Sklyarov, D.: “Secure Password Managers” and “Military-Grade Encryption” on Smartphones: Oh, Really? Technical report, Elcomsoft Co. Ltd. (2012), http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf
Katz, J., Lindell, Y.: Introduction to Modern Cryptography. Chapman & Hall/CRC (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gasti, P., Rasmussen, K.B. (2012). On the Security of Password Manager Database Formats. In: Foresti, S., Yung, M., Martinelli, F. (eds) Computer Security – ESORICS 2012. ESORICS 2012. Lecture Notes in Computer Science, vol 7459. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33167-1_44
Download citation
DOI: https://doi.org/10.1007/978-3-642-33167-1_44
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33166-4
Online ISBN: 978-3-642-33167-1
eBook Packages: Computer ScienceComputer Science (R0)