Securing a Password Manager

A young man became aware that there was a large safe in the local pool hall. Of course something that big and on such display drew a lot of attention, and attention became speculation which in turn turned to greed. The owner had opened the safe once in their presence and it was full of money. And so a plan was drawn up to break into the pool hall late at night, open the safe, and be rich beyond their wildest dreams. So one night they broke in and tried to crack the safe, but couldn’t open it. Undeterred, they moved it out of the pool hall and loaded it on back of a pickup truck. They then took it to a garage one of them had access to and tried opening the safe with chisels and hammers. The safe refused to be opened. By this time, everyone in town knew about the safe being stolen, the police investigation started. So they loaded it back up on the pickup, took it up on a mountain pass, and tossed it off a cliff. Surely, the fall would open it, and they could get their money and who would think about looking for the safe at the bottom of a cliff. They followed the path, but didn’t find the money, because the safe had sunk.

The story illustrates some of the problems with password safes as well. First of all, they’re a pain to keep secret. And of course the password manager is only as good as the means taken to secure it. Now there are more than a few password managers out there that run on local systems, and this works great for a small company. One of the big advantages is that you can access it only from the system it’s installed in. If the system in compromised, then it’s just that password vault that gets compromised. Of course if it’s the right vault, the damage can be devastating nonetheless. The downside of this is it might not work as well as we’d like in an enterprise, and so there are enterprise level vaults. Many times they’re accessed through a web interface, and that’s where the trouble can start.

Most of the time, users will access a password vault using their domain credentials. What that means to a hacker is if I get one piece, then it’s just a matter of time before I’m in. If it’s the right account, then I might get admin type password, or bank passwords, or what not. That said, there are password vaults out there that will provide you with two-factor authentication. It could be card plus the password or as simple as a challenge question and a password. The first approach is best because even if they get the password they might not have the card. The last is usually something like password plus “What city and state were you born in?” or such. In the latter case, all you’ve done is make some hacker do a little bit more research and typing. To really have fun, do something like “Pizza hut, 1130 Main St., Alamosa, Colorado”. Then jazz it up and really drive them nuts, p1zz@HUt113OM@1n5t2l2M0s@C0lOR@do. I don’t say it can’t be hacked. I do say they’ll have to work for it.

Another issue, especially with enterprise level password managers, is there are two big areas for attacks. One is that everyone will be accessing them through a web browser. Most web browsers are happy to do what we call auto-completion for you. Unfortunately, this also forms the basis for what we call a “Sweep Attack”. In this, an attacker targets the browser by having the user visit a site they’ve compromised (WiFi sites are a classic example). While the user is doing their thing, the attacker has entered into the network traffic, injected some script into it, and then they start getting the auto filled text you might use. Often times, this might even include passwords. iFrame attacks are very similar and involve injecting a logon page and script into the page being visited by a user, and that opens the door to getting auto-filled entries. The third and last type is a simple redirect attack. This one doesn’t require any new windows open, or anything injected in to the users system, but redirects the user from a site they might be familiar with to another that sure looks like it. And then you just start auto-filling away. The defense on the password manager is real simple. Most of them will allow you to turn off accepting auto-fill. Another thing folks tend to forget is that a password manager has a database someplace. Pay attention to this being locked down and protected. Some databases are nothing more than an access database, others can be MySQL or SQL databases. Read on locking them down, and what permissions they should and shouldn’t have. Remember, monitoring them is important for access. There are tools out there like Netwrix’s File Manager which will let you know when certain things happen. They’re worth exploring. If you want to build your own, and then make sure you turn on auditing for that file or directory. But you’re not interested in success. What you’re looking for is failures. Event code 4656 is what you’ll be watching for. It’s real simple, but a quick recap is in Windows 2008 and 2012, you can set up a scheduled task in such a way that if a certain event happens, then send you an email about it, or run a script, or any number of actions.

So, with all this said here, should we avoid password managers. The answer is no. A password manager, properly secured and used, allows us to use bigger and more complex passwords. It allows us to provide users with a way of recording passwords, so every password isn’t the same they use. Like all things, password managers are tools, and you must use them properly.