Security Experts:

Overall Security of Password Managers Debatable, Cracking Firm Says

A password recovery firm has claimed that the overall security of password managers is debatable. "Are password managers more secure than keeping a list of passwords in a single Excel spreadsheet?" it asks. "Not necessarily," it concludes.

Announcing the latest version of the Elcomsoft Distributed Password Recovery (EDPR) tool, Oleg Afonin blogged that it can now recover the master passwords for the 1Password, KeePass, LastPass and Dashlane password managers. This can be a legitimate requirement for users who lose or forget their master password -- or in some cases for law enforcement looking for suspects' online account passwords for legal purposes.

"Obviously, if the master password is compromised, all other passwords stored in the vault are compromised as well," writes Afonin. For this reason, password managers go to great lengths to make that password irrecoverable. For example, he writes, "LastPass generates the encryption key by hashing the username and master password with 5,000 rounds of PBKDF2-SHA256, while 1Password employs even more rounds of hashing."

Despite this, Elcomsoft claims to be able to brute force the master keys. In its published benchmarks, it shows that of the four password managers, it takes longest to recover the keys for LastPass; followed by 1Password, Keepass and then Dashlane. It justifies its Excel spreadsheet comment by showing that it takes much longer to brute force encrypted Office 2016 documents than any of the tested four password managers.

In theory, anything can be brute forced if the 'attacker' has sufficient time and computing power available -- Elcomsoft is simply saying it can do so in a timely fashion. SecurityWeek spoke to Dashlane senior manager, Ryan Merchant, about the report; and it is noticeable, if understandable, that he did not address the cracking capabilities of EDPR. Instead, Merchant focused on the overall advantages of using a password manager.

"A web-based password manager keeps your passwords encrypted in secure databases in the cloud," said Merchant. "In order for anyone to access your account, they'll need to possess your strong master password in order to decrypt the password manager's database." This is, of course, exactly what Elcomsoft claims to be able to do.

However, the strength of the password manager, said the Merchant, really lies in its ease of use. "Instead of writing your passwords on sticky notes or reusing the same password for all of your accounts, password managers provide a safe place for you to store, manage, and protect your passwords and other private information," he said.

"Dashlane users in particular do not need to invent, know, type or remember any of their passwords. Dashlane does it for them. In a sense, a Dashlane user has digital accounts, not passwords," he continued. "We have already started to kill the password by making the actual passwords irrelevant to our users."

Password managers aid the user in creating strong, unique passwords for different accounts. This is both more secure and easier to manage than could be done manually by the vast majority of users. Its one theoretical weakness is that if the master password can be cracked, then all the users' different passwords are accessible. For this reason, the developers make it difficult for them to be brute-forced.

What Elcomsoft has done has make it possible, in extremis, for the user to recover them regardless. As a forensic tool, this becomes very valuable -- so long as it cannot also be used by adversaries. SecurityWeek raised this question with Olga Koksharova, marketing director at Elcomsoft.

"As for adversaries," she told SecurityWeek, "speaking about Elcomsoft Distributed Password Recovery it's always a question of being able to log into a system and having administrative rights that would allow them to install the tool and run it. However, adversaries might only need extract just some information from the computer in order to use it afterwards on another workstation with all necessary tools running. In case with password managers, we need to feed a particular file to EDPR in order to brute-force it."

It would not be easy, but it would -- under certain conditions -- be possible for an attacker to make use of EDPR. This, of course, would be much simpler if a user lost or had a mobile device stolen. Koksharova advises, "Never leave your computers with valuable information unattended (lending it to someone is out of question) and always protect the computer itself with strong passwords."

The moral from this story is simple: password managers will almost always be more secure than manually generated and managed passwords -- but they do not relieve the user from all responsibility. The password manager itself still needs to be protected.

Last week, Dashlane published the results of its 2017 Password Power Rankings study, which examined the password practices that different companies encourage or force onto their users.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.