Chaniging focus: security ouitside a password manager (was: Re: Password Manager opinions and recommendations)
- To: debian-user@lists.debian.org
- Subject: Chaniging focus: security ouitside a password manager (was: Re: Password Manager opinions and recommendations)
- From: rhkramer@gmail.com
- Date: Mon, 2 Apr 2018 09:07:16 -0400
- Message-id: <[🔎] 201804020907.16879.rhkramer@gmail.com>
- In-reply-to: <a4a40926-cea2-5d71-9a5c-d45c0460d8c0@affinityvision.com.au>
- References: <201803251152.13825.rhkramer@gmail.com> <alpine.DEB.2.11.1803301838360.282@post> <a4a40926-cea2-5d71-9a5c-d45c0460d8c0@affinityvision.com.au>
Just continuing to think (or maybe not think ;-) about password managers /
password security, changing the focus slightly (I think) but keeping the same
thread.
I'm now thinking about the security (or vulnurability) of passwords during
"normal" usage--I mean, I'm thinking about the times when a password, even
though stored in a very secure manner (in a password manager or encrypted
file(s) of some sort), the password is viewable in plain text, and thus, to a
greater or lesser degree, vulnurable.
The first two situations that come to mind include:
* during copy and paste operations, the plaintext password could remain on
the C&P "stack". thus making it vulnurable: Some notes:
(1) I've read about at least one password manager that, somehow, deletes
the plaintext password from the copy and paste "stack" after a time delay--I
didn't make a note of which one that was.
(2) another approach could be that a password manager provides a
facility to write the password to a designated textbox without using the copy
and paste facility, thus, presumably, never putting the plaintext password on
the copy and paste "stack").
* during hibernation (or maybe suspend and resume): (I use neither at the
present time, but, one stores the machine's state (including RAM) to disk, the
other stores the (CPU) state to RAM while preserving the other contents of
RAM.) Hibernation could result in the plaintext of passwords being stored on
disk while the power is off, making the plaintext passwords vulnurable if the
machine is stolen.
My current approach to passwords includes storing them in an encrypted file
which is only ever decrypted to a RAMdisk, with the idea / intention that, if
power is lost, or the machine is shutdown, the plaintext passwords would
disappear from RAM (except to the extent that (iiuc) there are (NSA) ways to
recover the contents of RAM if power is restored to the machine fairly
quickly). My assumption, without considering hibernation. was that the only
remaining copy of the passwords would be in the encrypted files.
Maybe my concern about these situations is unrealistic, but I want to consider
it, so all comments are welcome.
BTW, I can see that the Master Password approach might be the solution for
most of the problem, unless I (or it) uses copy and paste to put passwords in
a textbox.
On Friday, March 30, 2018 09:44:18 PM Andrew McGlashan wrote:
Reply to: