Security of Password Vaults of Password Managers

패스워드 매니저의 패스워드 저장소 보안 취약점 분석

  • Received : 2018.06.01
  • Accepted : 2018.09.20
  • Published : 2018.10.31


As the number of services offered on the Internet exponentially increases, password managers are increasing popular applications that store several passwords in an encrypted database (or password vault). Browser-integrated password managers or locally-installed password managers store the password vault on the user's device. Although a web-based password manager stores the password vault on the cloud server, a user can store the master password used to sign in the cloud server on her device. An attacker that steals a user's encrypted vault stored in the victim's device can make an offline attack and, if successful, all the passwords in the vault will be exposed to the attacker. This paper investigates the vulnerability of the password vault stored in the device and develops attack programs to verify the vulnerability of the password vault.

웹사이트 이용이 증가하면서, 패스워드들을 암호화하여 데이터베이스에 저장 관리해주는 패스워드 매니저의 사용이 증가하고 있다. 브라우저 기반 패스워드 매니저와 로컬 기반 패스워드 매니저는 암호화된 데이터베이스를 로컬 컴퓨터에 저장한다. 웹 기반 패스워드 매니저는 암호화된 데이터베이스를 클라우드 서버에 저장하지만 사용자는 클라우드 서버에 접속하는데 사용하는 마스터 패스워드를 로컬 컴퓨터에 저장할 수 있다. 공격자가 사용자의 컴퓨터에서 패스워드 데이터베이스를 훔쳐 복호화에 성공한다면, 사용자의 모든 패스워드들이 노출되는 심각한 문제가 있다. 본 논문에서는 로컬 컴퓨터에 저장된 패스워드 저장소의 보안 취약점을 분석하는 절차를 제시하고, 패스워드 저장소를 공격하는 시나리오를 제시하며, 공격 프로그램을 개발하여 패스워드 저장소를 공격함으로써 패스워드 저장소의 보안 취약점을 확인한다.


JBBHCB_2018_v28n5_1047_f0001.png 이미지

Fig. 1. Security of Password Vaults

JBBHCB_2018_v28n5_1047_f0002.png 이미지

Fig. 2. Format of Chrome password vault

JBBHCB_2018_v28n5_1047_f0003.png 이미지

Fig. 3. BLOB HEX data

JBBHCB_2018_v28n5_1047_f0004.png 이미지

Fig. 5. Overall operation of LastPass

JBBHCB_2018_v28n5_1047_f0005.png 이미지

Fig. 4. Login option of LastPass

JBBHCB_2018_v28n5_1047_f0006.png 이미지

Fig. 6. Format of LastPass password vault

JBBHCB_2018_v28n5_1047_f0007.png 이미지

Fig. 7. Decryption of LastPass master password

JBBHCB_2018_v28n5_1047_f0008.png 이미지

Fig. 8. Decryption of AES-CBC encrypted password

JBBHCB_2018_v28n5_1047_f0009.png 이미지

Fig. 9. KeePass Key generation

JBBHCB_2018_v28n5_1047_f0010.png 이미지

Fig. 10. Encryption for the verification of user's master password

JBBHCB_2018_v28n5_1047_f0011.png 이미지

Fig. 11. Attack scenario on a Chrome password vault

JBBHCB_2018_v28n5_1047_f0012.png 이미지

Fig. 12. Flow chart of the HPassChrome

JBBHCB_2018_v28n5_1047_f0013.png 이미지

Fig. 13. C++ pseudo code of HPassChrome

JBBHCB_2018_v28n5_1047_f0014.png 이미지

Fig. 14. Execution result screen of the HPassChrome

JBBHCB_2018_v28n5_1047_f0015.png 이미지

Fig. 15. Attack scenario on a LastPass password vault

JBBHCB_2018_v28n5_1047_f0016.png 이미지

Fig. 16. Flow chart of the HPass

JBBHCB_2018_v28n5_1047_f0017.png 이미지

Fig. 17. C# pseudo code of HPass

JBBHCB_2018_v28n5_1047_f0018.png 이미지

Fig. 18. Execution result screen of the HPass

JBBHCB_2018_v28n5_1047_f0019.png 이미지

Fig. 19. Extraction of a crackable hash from a KeePass database

JBBHCB_2018_v28n5_1047_f0020.png 이미지

Fig. 20. Brute force attack by using the hashcat

JBBHCB_2018_v28n5_1047_f0021.png 이미지

Fig. 21. Decryption of a KeePass database

Table 1. Vunerability analysis of password vault

JBBHCB_2018_v28n5_1047_t0001.png 이미지

Table 2. Location and format of Chrome password vault

JBBHCB_2018_v28n5_1047_t0002.png 이미지

Table 3. Location of provider and master GUIDs

JBBHCB_2018_v28n5_1047_t0003.png 이미지

Table 4. Location and format of LastPass password vault

JBBHCB_2018_v28n5_1047_t0004.png 이미지

Table 5. KeePass database fields

JBBHCB_2018_v28n5_1047_t0005.png 이미지

Table 6. Vulnerability Comparison of Password Managers

JBBHCB_2018_v28n5_1047_t0006.png 이미지


  1. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes," in Proc. IEEE Symposium on Security and Privacy, pp. 553-567, May 2012.
  2. P. Gasti and K. B. Rasmussen, "On the security of password manager database formats," in Proc. European Symposium on Research in Computer Security, pp. 770-787, Sep. 2012.
  3. M. Golla, B. Beuscher, and M. Durmuth, "On the security of cracking-resistant password vaults," in Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1230-1241, Oct. 2016.
  4. R. Chatterjee, J. Bonneau, A. Juels, and T. Ristenpart, "Cracking-resistant password vaults using natural language encoders," in Proc. IEEE Symposium on Security and Privacy, pp. 481-498, May 2015.
  5. S. Huber, S. Arzt, and S. Rasthofer, "Extracting all your secrets: Vulnerabilities in android password managers," Hack In The Box Security Conference, pp. 1-50, Apr. 2017.
  6. S. Huber, S. Rasthofer, and S. Arzt, "Bypassing android password manager apps without root," DEF CON, pp. 1-58, Jul. 2017.
  7. Z. Li, W. He, D. Akhawe, and D. Song, "The emperor's new password manager: Security analysis of web-based password managers," in Proc. USENIX Security Symposium, pp. 465-479, Aug. 2014.
  8. D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson, "Password managers: Attacks and defenses," in Proc. USENIX Security Symposium, pp. 449-464, Aug. 2014.
  9. M. Blanchou and P. Youn, "Password managers: Exposing passwords everywhere," Whitepaper, iSEC partners, pp. 1-6, Nov. 2013.
  10. K. Bhargavan and A. Delignat-Lavaud, "Web-based attacks on host-proof encrypted storage," in Proc. USENIX Workshop on Offensive Technologies, pp. 1-8, Aug. 2012.
  11. X. Li and Y. Xue, "A survey on server-side approaches to securing web applications," ACM Computing Surveys, vol. 46, no. 4, pp. 1-29, Apr. 2014.
  12. SQLite, "DB Browser for SQLite,", Mar. 2018.
  13. NAI Labs, "Windows Data Protection",, Oct. 2001.
  14. E. Burzstein and J. M Picod, "Recovering windows secrets and EFS certificates offline," in Proc. USENIX Workshop on Offensive Technologies, pp. 1-9, Aug. 2010.
  15. LastPass, "Technical Whitepaper,", pp. 1-20, Mar. 2018.
  16. KeePass Password Safe, "KeePass Password Safe,",Apr. 2018.
  17. H. Zhang, J. Hong, and J. Hu, "Analysis of encryption mechanism in KeePass Password Safe 2.30," in Proc. IEEE International Conference on ASID, pp. 1-4, Sep. 2016.
  18. John the Ripper suite, "keepass2john. py - Python module to extract a hash from KeePass databases,", Apr. 2018.
  19. Hashcat, "hashcat-advanced password recovery,", Apr. 2018.
  20. Python module to read KeePass, "libk eepass - Python module to read Kee Pass files," available from, Apr. 2018.