I had cause to think about remote Password Managers last week. My conclusions and notes.

  1. They are an attractive target, and if on the internet easy to reach
  2. They lengthen the code paths and thus increase the attack surface.
  3. They provide little defence against operating system & browser vulnerabilities and zero defence against social engineering or court ordered remediation.
  4. They ease the use of complex and strong passwords; they can through indirection ensure that real keys are not known (and thus contradict my statement that they cannot protect against social engineering attacks).

Links

  1. https://www.schneier.com/blog/archives/2014/09/security_of_pas.html
  2. https://www.theregister.co.uk/2017/02/28/flaws_in_password_management_apps/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.