Are we back in the realm of passwords? We’re back to passwords..
Actually, we’re back to password managers because I never haven’t done a proper video on this
I’ve talked about password managers briefly while I was talking about, you know good passwords and things like this
But they’re very very important nowadays, right? So, what is it that’s good?
And why is it okay that we’re putting all our eggs in one basket?
Just before we start the video about how they work. Would you recommend a password manager?
100% yes, there are probably some use cases where you wouldn’t want to use a password manager, but off the top of my head
I can’t think of how many I think that your security is better with one right
Even though there obviously is some
Small amount of risk that you take by putting your passwords in an encrypted database on the internet
Like I’m you know, I’m not a security researcher
But the majority of security researchers use pasword managers and would advocate the use of password managers
The weakness of password managers that we’ll talk about is is really implementation detail right in theory
They’re very secure. But in practice is auto-filling on a website a good idea?
I suppose it depends on what the website is, you know there is talk of maybe
Invisible forms, but get auto-filled them and they capture the passwords, things like this
Let’s first think about what it is that a password manager does and why we would want that right now
We’ve talked about passwords before and the issue really is if your passwords are going to be secure
Generally it is going to be quite hard to remember a lot of them right
Yes, we’ve talked about coming up with a good password
And I think it’s quite plausible to remember one or two very good passwords, but to remember two dozen or three dozen or a hundred
That’s getting a little bit silly. Right? So then your choice is to write them down right or to use the same password all the time
which isn’t a great idea or
To use a password manager and quite simply a password manager is a big list of your passwords encrypted, right?
We usually call it a vault sounds cool
So you have you know Amazon and you have your password for Amazon and then you know
EBay and your Gmail and so on all the different products that you use all the different
passwords that you have and in a lot of password managers
You can store additional information like passport numbers or social security numbers depending on if those things are useful feature to retrieve them
Obviously having this is kind of having all your eggs in one basket
What it’s going to do if someone gets it is unlock everything you have
Because the password manager only make sense if you use it for eveything. Otherwise I kinda don’t know why you would use it at all
So obviously this is going to be encrypted, right?
So this is going to have some kind of encryption on it using some kind of key
And so the real question is, you know, where we store in this key whose key
Is it who has control of this key who can get to this key?
That’s really what it comes down to is whose key is this? Obviously some password managers have cloud storage solutions
Where you can upload passwords off your mobile phone and get them on your laptop and vice versa
Sometimes even share them with other family members things like this. These are kind of those products I’m talking about today
If you have to use a product like KeePass, which is entirely offline
Any cloud storage is on your own back. Then the sort of the security implications are slightly different right in some sense
It’s more secure because you have control over that thing but I would argue back
given what we were going to talk about not a huge amount more secure and at the cost of quite a lot of convenience and
to be honest for the majority of users convenience is important if you don’t get
Convenience out of a past manager you aren’t going to use it effectively and then you’re going to weaken your passwords or use the same
Password and you’ve undermined everything anyway. We’ve encrypted all these passwords of a key now
I’m going to talk about how we manage this key and how we
Prevent the server from being able to access these passwords as well and attackers and things like this
I’m going to talk in the general sense, right?
I’m familiar with how thing things like LastPass in one pass would work and I’ll sort of nod to them a little bit but I
Want to talk some in general about how password managers do this because they have quite strict requirements
The encryption with KeyPass is fairly similar a slightly different algorithms used for encryption
But the same it doesn’t have the same requirements on security in transit because it’s not in transit, right?
So because you’re using key parts locally
Really your master password is in it’s sufficient to drive a key and to decrypt your your data, right?
There’s no issue of what what if the server learns your password because there is no server the first important thing to know about
Password managers cloud-based password managers is that they don’t do any decryption or encryption themselves
And all of your vault is encrypted by you at the client side and then sent encrypted to the server
so that’s I mean
That’s a good thing because it means that they don’t hold the key in their database
Which would mean that over sort of a dodgy rogue admin or if it got leaked that will be a huge problem
so really there’s kind of two problems we have to solve right one is how do we
derive a key that the server doesn’t know but we can use and
The other question is how do we convince the server to send us a vault in the first place because in a cloud-based?
Solution this encrypted vault is sitting on a server. I want to say my login
Is this my master password is this please send me my vault so I can decrypt it
But you’ve just sent them the master password isn’t that really bad idea, but that’s the question. We’re going to try and answer
The way this works is we’re going to be deriving keys based off our master password
All right. So all password managers are going to have some kind of master password
Please see them through the part of a video most people’s passwords are not sufficient for use as a master password
It has to be very very good if he’s any
Variation on the word password or have any of the numbers 1 2 3 4 in ordering it you need to delete those passwords
Maybe delete your account out of shame. Yeah, so
But that’s a different video. We’ve already covered this a lot
All right. So there’s going to be what we’re going to do is we’re going to perform two derivations from this password
We’re going to use it to produce our vault key right using some function, right?
So we’re going to perform some function to turn our master password into a bowl key
I’ll try and sort of note differences between different password managers as I go and
We’re also going to use our master password for some kind of authentication mechanism with the server
So what’s going to happen is we’re gonna take our master password. We’re going to authenticate with the server
It’s going to say yet
You are who you say you are but during that process it’s not going to learn what the master password is
It’s going to send us the encrypted vault
We’re going to drive a different vault key and that’s what we’re going to use to decrypt the password locally
We add or remove any parcels we want we encrypt the vault and we send it back to the server and it gets stored
Now this will seems a little bit implausible. We’ve just logged in using our master password
We’re also decrypting using our master password. This all sounds very fishy
It all sounds like someone just wants all my passwords and they found a way to convince me to put them all on a big
List for them, but actually it’s quite elegant. There’s quite elegant solution to this
So let’s start with the way that LastPass does it might because it’s fairly common and then we’ll talk about the differences with say one
Password what LastPass will do is it will produce a master password by appending your email and your master password
so I’m going to call that pass it’ll append them together and it will
hash them and this is going to be a very very strong hash function by a hash function with many many iterations
To prevent it from being brute-force
We talked a little bit about this during the password cracking video
But the idea is that if you’re going to break a password
You need to get it a lot of times and the slower that hashing process is the slower
Your guesses are going to be and the longer it’s going to take when you say iterations
Do you mean that it’s hashed over and over again, or..? Basically yes,
you actually use an H map to do this and the function is called pbkdf2 p
Password-based key derivation function – and what it essentially does is it takes your string that you’re hashing, uses
H mac and iterates it a number of times and in this case iterates is a hundred thousand times
Right, which is a lot of times. And this is going to produce your vault key your vault key
Or at least it’s going to produce sufficient bits from which you can drive a vole key, right?
So your vole key thing gonna be I know
256 bit AES key or something like this and it’s going to be used to decrypt your vault now
But we don’t have the vault because the vaults on the cloud
So we’re going to take our vault key V, which is this one.
We’re going to append our password again to it. And we’re going to do the same, you know epic hashing function on this
another 100,000 times
You’ll do fewer times on your client and then you’ll do I think it’s five thousand on the client and then it will go to
the server for another hundred thousand or something like this something ridiculous because you know
The server’s got the power to do this
What we’ve done here is we’ve got our vault key and our password in here, which is essentially our primary identifiers
But would hash them so you can’t get to them and that’s what we’re using to authenticate ourselves
now at the server end that’s going to be salted and hashed as
normal for storing in a database
so there’s no easy mapping for an attacker to get from here back to here because you’d have to
Essentially undo this hash which can’t be done or guess the hash which is incredibly slow because of how many iterations we’re talking about
so what happens is you create you use your master password to derive a vault key and then you use that vault key and your
Password again to derive an authentication key, which is what is used on the server?
So there was no way for the server to extract this vault key because it’s probably lost on the other hand only you have the password
so only you can produce either these keys are you’re the only one that can request your vault and you’re the only one who can
Encrypt and decrypt your vault good right if your master password is good, right?
Another link to my video. Just keep putting them in.
not not password one then. not password one goodness
No, we’ve been over this and not correct horse battery staple
One password for example is ever so slightly different one password has a public and private key
Mechanism because they want to be able to share
so your volt is protected by a key and that key is protected by a public key the private component of which is
Encrypted by your master password and one parse what happens to also add another bit of unknown, which is your secret key
which is a device or
Specific thing held on your device the idea being that it makes it a little bit harder for the server to theoretically break your hash
One password also doesn’t derive an authentication key straight off the master password this way
They use something called a password authenticated key exchange, which is kind of like diffie-hellman
But with passwords where your master password is used as part of a handshake with a server to authenticate you instead
The advantage of that being that they have to vend break diffie-hellman
First before they can begin trying to hash your password makes it it makes a little bit harder the chain of decryption gets quite complicated
Because you have a master password and secret key derived master key, which is used to decrypt your private key
Which is used to decrypt the vault key, which is used to decrypt the vault
Go and animate that
All of this is susceptible to something like malware or key loggers
That’s absolutely so this is in some sense the biggest hindrance with password managers
Is that if you get a key logger or a website where it’s accidentally auto-filled in the wrong place or the implementation
Is not as theoretically sound as the theory is that’s when you’ve got a problem most
Security researchers and people in the security industry would argue that the benefits you get from having a good password mechanism like this
Outweight the drawbacks of there possibly being a potential breach, right? But it is something it is something into concern which is why
That place is like one pass would have bug bounty programs
Where if you find a issue you can let them know and I’ll try and fix it nice and quickly
There’s a question of trust. Do you trust these companies?
I suppose I probably do and it’s because their business model wouldn’t make sense if they weren’t trying to be trustworthy, right?
They’ve got one or two agendas, right either
they are trying to store my password securely so that I keep giving them my yearly fee or
they are trying to
Use all my passwords to hack my accounts in which case of other ways to do that and it didn’t seem like a very good
Business model. Yeah
But I suppose it’s possible.
I don’t I don’t I don’t lie awake at night worrying about that
There are differences between how the password managers manage their
Different ways of doing authentication and doing the encryption and things because I’m not too worried about them
I think that they all look pretty plausible
and I sort of looked into them and I think
The security industry in general was fairly pleased at how things are going
I think you use the one that works best on your devices and you you know is the price you want and the convenience you
Want and so on. It’s a product at the end of the day
now I’ve got the token so I can load a value in add the bay leaf emerged or into it and
Store it back and hand the token and now I’ve got the token again
I can load something and Yuki and a2 I
Send that to Bob. He’s going to take this receiving function a – now Bob wants to send a message
So he’s going to take his this is going to be Bob one