![]() The master key and the PIN are symmetrically encrypted and stored in a shared preferences file in the local app folder. SIK-2016-022 on LastPass Password Manager It was easy to obtain the master password. Mirsoft Password Manager encrypted and saved master password. The password is encrypted, but the key for this encryption is part of the application code (equal on all devices). The master password is stored in an insecure way. SIK-2016-021 on Mirsoft Password Manager. It violated rule 3, " Never save the master password, in any form." My Passwords used a weak self-designed crypto algorithm to encrypt and save master password. The attacker can thus extract all of the user’s stored passwords. With these two values, it is possible to reconstruct the user’s master password and log into the app. The app stores an encrypted version of the user’s master password (“master_key”) in the shared preferences file. Since the report was years ago and all the vulnerabilities in the report have been fixed, it does not mean those password managers do not meet or surpass the requirements of the second generation now. It is concluded that some of them did not qualify as the second generation at that time. ![]() Let's checkout the report from TeamSIK who did a great job to help password managers improve their design and implementation in 2016. I can only have a chance of close look from limited public information. The security design of most password managers have not been published. There are a bunch of password managers using master password to protect data, but not all of them meet the requirements of the second generation, even though some of them claiming military grade encryption. Security Analysis of Some Password Managers
0 Comments
Leave a Reply. |