Keep Calm And Use A Password Manager!
You may have seen news about a recent research paper exposing some vulnerabilities in four of the most popular password managers on the market. Some of the reporting on this can seem scary. Does this mean password managers are dangerous?
The quick answer is, of course, a resounding "no".
We are all better off using even those password managers than not using any password manager. The risks from not using a password manager are FAR bigger and more likely than the risks from the attacks in this research paper.
Using a password manager is far and away the #1 best thing every normal user can do to protect their data and accounts. The threat from weak and reused passwords is orders of magnitude more common and easy to exploit than any threat from this paper. The only good way to improve your password security, and fortunately it is a super easy way, is to use a password manager.
Really, I can't repeat this enough: Keep Calm And Use A Password Manager!
So, is this research wrong or useless? No, not that either! This research looks at four of the most popular password managers on the market, and asks the question "what can an attacker that has control over your device learn?". Specifically the research focuses on using memory forensics to get access to password data that the apps have place in your device's memory as part of the normal working of the app.
The vendors of those apps have responded with different variants of saying that this is an unfair question. There is some truth to this position. Protecting any data against an attacker who has already installed fully privileged malware on your device is extremely hard. Protecting memory in use is even harder. If the attacker is persistent enough, almost any protection can be broken.
In fact, many protections can be broken by an already running malware much more easily than by using memory forensics. Memory forensics is a fancy attack which looks impressive, but it is far from the first or easiest thing that will be attempted by a normal attacker. For example, the malware can install a key-logger and wait for you to type in your master password. The malware can watch the device's clipboard (where you copy and paste) and wait for you to copy one of your passwords to login to an account.
It is all true: if your device is infected, you are already having a bad time. This truth is independent of your password manager. That all said, we disagree with jumping from that truth to the conclusion that there is nothing a password manager can or should do to protect against this kind of attack. Any security software has to assume that host is compromised and still try to do the best it can.
We all know that a skilled burglar with enough time and money can invade any home. Does that mean we throw our hands in the air and don't bother locking our doors, closing our windows, setting alarms, or otherwise trying to make a burglar's life difficult? Of course not.
Real world security - whether for your home or for your digital life - is not about being perfect against every possible attacker imaginable. Real world security is like the old joke about how to survive a bear attack when you are in the forest with a friend - you only need to run faster than your friend! While this is not very nice - and I hope none of us would ever have that attitude towards anyone, let alone a friend! - the point is that in security we try to frustrate the attacker as much as practically possible, and there is value to adding roadblocks to attackers even when they are not perfect. It is called "defense in depth".
Coming back to the research, the paper highlights two areas where the tested password managers are really not doing enough to frustrate attackers. In order of badness: first, some are leaving plain-text passwords in your computer memory even when the app is supposed to be "locked"; second, some are putting your whole plain-text password database into memory the moment you unlock the app.
Both of these issues are clearly Not Good ™, and not what you would hope to see from a security company. Yes, there will always be something in memory at some point, but the researchers are totally right that for a password manager the "something" should be kept to an absolute minimum in both scope and time. And the researchers have shown that is unfortunately far from the case for these apps.
F-Secure KEY does not leave passwords in memory when the app is locked, neither do we place the whole database into memory except in some specific use cases where it is currently required.
Are these problems the end of the world? Definitely not. Have F-Secure made similar mistakes in the past? Unfortunately, yes. Is F-Secure KEY perfect and free from sin? Absolutely not. Every software developer, even people who live security, make mistakes sometimes. The important thing is that we all fix and learn. That starts with having the right attitude.
I want to give you an idea of what the right attitude looks likes, an attitude that has helped us win an unprecedented 6 Best Protection Awards in 8 years from the independent AV-Test organization. Over the last two days a large number of people in F-Secure have been discussing this paper and its implications to our products.
What is striking in these discussions is how obsessed we all are about making sure our products really are doing everything possible to protect our users, and making sure whatever we say publicly on this subject is absolutely honest.
We checked in detail each one of those issues raised. If anything, our assumption has been that we are probably wrong too, and maybe even worse! Even when we saw that in fact we happen to not be vulnerable to the worst things in the paper, our focus was entirely on all the ways we can still do better to protect our users. We have dozens of new ideas for ways to make our products even more frustrating for attackers, ways to run from that bear even faster. Some of these ideas will surely appear in coming versions.
It is this attitude that gives us the best chance to constantly improve our security and to make sure that we are meeting our responsibility and our mission to protect our users. It is also this attitude that makes some jokingly call us "Finland's best kept secret", because if we are not perfect, if we know there are still ways to attack us (even if very unlikely cases and even if we are doing better than most), do we really have the right to boast?
I think it is a very Nordic attitude, and I would not change it for the world! Even if sometimes it means we say less than we could. Even if sometimes it means we miss out on using opportunistic news stories to showcase our strengths. The right dose of paranoid humility, and of telling the truth even when that truth does not 100% suit us - that is our strength. That is how we have been making attackers unhappy since 1988, and how we will strive to frustrate them more and more.
And just in case you forgot - keep calm and use a password manager!