Security Ripcord

Safe Password Storag….Damn IT

March 24th, 2006 cutaway Posted in Passwords, Security, Tools No Comments »

So, I was recently asked by a client to recommend a good password generator so that the company employees didn’t have to think of their own passwords. Well, I told him that if they knew the standards for a good password they should be able to do it themselves.

These standards include using at least three of the following criteria:

  • minimum of eight characters,
  • upper and lower case letters,
  • at least one number, and
  • at least one special character

But he insisted so I started asking around. I found out that my friend and colleague, Monty McDougal, has recommended Password Safe in the past, so I decided to check it out. A little research got me the application from Sourceforge and I downloaded it and quickly ran the executable. A few minutes later I had created a database and then associated a password with a username and URL. Nice. My next thought was, “If this could only run directly from my USB thumbdrive I’d be all set.” Well, it does. Excellent. As you can tell I was getting fairly excited, so I stepped back and started thinking about the security implications.

  • Is the password database encrypted?
    • Dah!
    • Are you sure? Here it is -
PWS3�*=��WH�{���b��Ċ�V��edY *E�t�  �k��wKP_�d7��ľ=F }A�˺�JR�<�Э�f���ac v�(���n��>bD���<��+7 ���������-Qx ��� ���G8ǿ4w����e��
��.�z�h
���՛_]"�.H�,��q�Rq����o��Zk�@��3J��{&H���i�|����������ܘ��?b��AĪ��U`��r5b*++�u�>�Ls’ ����^��>ms�
g�� ��6�:��hX��D�5G��M�zV
�� �->���02Je�mM�X�v���o�XP�����:���)�r�Fh<e#�'�R9�?6�3
S��ߪu�틁T�H��SpE�:��� N��V/4�<���J��!��}��-��#�} ��gV>)��=!{V{U���Z>�
�PWS3-EOFPWS3-EOFȻ�K���E��7�4����Ii�W�\g�h��

  • Can others see the password -
    • As I type it? Yes - don’t set it up while somebody is looking over your shoulder.
    • When I open the database - No, the passwords are kept hidden unless you choose to unhide them. See the previous bullet.
    • When I paste the password? Yes and no. If you paste it into a form box that is designated as a password box then it shows up as astericks, but if you paste it into a text document then it will show up. So, don’t do this unless you forgot what the password was and you really want to know.
  • Can the password protecting the database be Brute Forced?
    • Of course it can. Got some time on your hands and an extra CPU or three?
  • Does it have a password generator?
    • Yes it does, but it does not automatically adhere to the strong password standards. To get strong passwords the options have to editted and the password policy updated.

Dang that was easy. And to top it all off, it turns out that Password Safe is a project that is supported by Bruce Schneier. What more could you ask for? Satisfied, I moved on and started looking at a few of my security feed subscriptions. Right off the bat I noticed that Larry Pesce had updated his blog, haxorthematrix. Instantly my bubble burst when I saw the title “Bugtraq: PasswordSafe 3.0 weak random number generator allows key recovery attack.

Great! But after reading the article I’m not as worried as I thought I would be. Let’s think about what the real threats are for our password database.

  • Shoulder surfers
  • Password on paper, on wall, on ceiling, and/or in plain text file
  • Stolen/Lost password database
  • Decrypted password database

Now associate these with the likelyhood that they will be exploited.

  • Shoulder surfers - Low
    • This is low because it can be done but it takes some skill and practice.
  • Password on paper, on wall, on ceiling, and/or in plain text file - High
    • This is high because it is the easiest to discover and use.
    • Actually, properly using this software would successfully mitigate this risk and move the likelyhood of exploitation to low.
  • Stolen/Lost password database - High
    • This is high because somebody using this will probably have it on a USB thumbdrive….Flush….opps!
    • It is more likely that a stolen USB thumbdrive will be wiped and used for something else.
  • Decrypted password database - Low
    • This is low because it will take some technical expertise and time to set this up and crack the key.

So, all in all the risk is not very high and can be mitigated by remembering that this software is just a designed to help and it has its own limitations that are also associated with every other information storage schemes. By creating backups and treating any removable media as security items an individual or organization can safely deploy this useful software even with the recent vulnerability concerns.