Evaluating a password managerEvan Johnson

About Me●CloudFlare Security Systems Engineer●Previously an engineer at LastPass●Wrote passgo (https://github.com/ejcx/passgo) ●On twitter @ejcx_●Personal sites:

○https://ejj.io○https://twiinsen.com

Trigger Warning: Talking about

Password Managers

What is this talk?●Define properties that all password managers should have●Some basic technical details about individual pw managers●Talk about what matters in a password manager for average

people.●Talk about some details about how technical analysis is done.

Which password managers●1Password●LastPass●Dashlane●Keeper●KeePass●KeePassX●PasswordBox (rest in peace)●Pass●Excel Spreadsheets●Password Journals●...

How do (most) password managers work?

Cloud Password Servers●This component will be missing if the pw manager does not sync.●Web service of some sort containing encrypted data.●What other data should be encrypted? Password managers

generally do not encrypt everything.●Security measures, like 2FA usually enforced here.

Core Service, Background Service●Consume the web services APIs.●Decrypt sites and persist process after log in.●Update sites as they change●Update API as new sites are created

User Application + Background / Browser Integration

●Contains user interface.●Contains bells and whistles that help users be secure.●Auto fills passwords

What matters in a password manager!?●Too much for one slide…●“What features should all password managers have?”●“Which features are security critical and need special

evaluation?”●“What are your personal needs in a password manager?”

What features should all password managers have?

●Password generator that can be used to generate different kinds of passwords.

●Duplicate password finder●Weak password finder●Good UX for mobile support●Strong crypto●Import / Export you should be able to jump ship!●Amazing mobile UX

The world is mobile now●Password managers without a mobile component are useless to

average folks.

The world is mobile now

The world is mobile nowhttps://github.com/AgileBits/onepassword-app-extension

The world is mobile now

The scary part of mobile password managers●There are hundreds of mobile password managers with unknown

quality. Who knows what they are doing.

What features need security evaluation●Browser filling logic.●Integration between browser extension and background

extension.●Password Generator.●Crypto Primitives.●HTTP Headers and Transport Security.

How to dive in and look under the hood●Examine the API●Examine the Crypto●Examining the browser extension●Examining the integration between browser extension and

background●Examining the auto-fill logic

Examining the API

1. chrome://extensions2. Enable Developer Mode3. Click “Background.hmt”

Examining the crypto

Examining the browser extension

Examining the browser extension

Click on “{}” to unminify

What’s the point of all of this●I am working on a “password manager scorecard”

Questions●Any Questions?