Fig. 1. Security of Password Vaults
Fig. 2. Format of Chrome password vault
Fig. 3. BLOB HEX data
Fig. 5. Overall operation of LastPass
Fig. 4. Login option of LastPass
Fig. 6. Format of LastPass password vault
Fig. 7. Decryption of LastPass master password
Fig. 8. Decryption of AES-CBC encrypted password
Fig. 9. KeePass Key generation
Fig. 10. Encryption for the verification of user's master password
Fig. 11. Attack scenario on a Chrome password vault
Fig. 12. Flow chart of the HPassChrome
Fig. 13. C++ pseudo code of HPassChrome
Fig. 14. Execution result screen of the HPassChrome
Fig. 15. Attack scenario on a LastPass password vault
Fig. 16. Flow chart of the HPass
Fig. 17. C# pseudo code of HPass
Fig. 18. Execution result screen of the HPass
Fig. 19. Extraction of a crackable hash from a KeePass database
Fig. 20. Brute force attack by using the hashcat
Fig. 21. Decryption of a KeePass database
Table 1. Vunerability analysis of password vault
Table 2. Location and format of Chrome password vault
Table 3. Location of provider and master GUIDs
Table 4. Location and format of LastPass password vault
Table 5. KeePass database fields
Table 6. Vulnerability Comparison of Password Managers
- J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes," in Proc. IEEE Symposium on Security and Privacy, pp. 553-567, May 2012.
- P. Gasti and K. B. Rasmussen, "On the security of password manager database formats," in Proc. European Symposium on Research in Computer Security, pp. 770-787, Sep. 2012.
- M. Golla, B. Beuscher, and M. Durmuth, "On the security of cracking-resistant password vaults," in Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1230-1241, Oct. 2016.
- R. Chatterjee, J. Bonneau, A. Juels, and T. Ristenpart, "Cracking-resistant password vaults using natural language encoders," in Proc. IEEE Symposium on Security and Privacy, pp. 481-498, May 2015.
- S. Huber, S. Arzt, and S. Rasthofer, "Extracting all your secrets: Vulnerabilities in android password managers," Hack In The Box Security Conference, pp. 1-50, Apr. 2017.
- S. Huber, S. Rasthofer, and S. Arzt, "Bypassing android password manager apps without root," DEF CON, pp. 1-58, Jul. 2017.
- Z. Li, W. He, D. Akhawe, and D. Song, "The emperor's new password manager: Security analysis of web-based password managers," in Proc. USENIX Security Symposium, pp. 465-479, Aug. 2014.
- D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson, "Password managers: Attacks and defenses," in Proc. USENIX Security Symposium, pp. 449-464, Aug. 2014.
- M. Blanchou and P. Youn, "Password managers: Exposing passwords everywhere," Whitepaper, iSEC partners, pp. 1-6, Nov. 2013.
- K. Bhargavan and A. Delignat-Lavaud, "Web-based attacks on host-proof encrypted storage," in Proc. USENIX Workshop on Offensive Technologies, pp. 1-8, Aug. 2012.
- X. Li and Y. Xue, "A survey on server-side approaches to securing web applications," ACM Computing Surveys, vol. 46, no. 4, pp. 1-29, Apr. 2014.
- SQLite, "DB Browser for SQLite," http://sqlitebrowser.org, Mar. 2018.
- NAI Labs, "Windows Data Protection", https://msdn.microsoft.com/en-us/library/ms995355.aspx, Oct. 2001.
- E. Burzstein and J. M Picod, "Recovering windows secrets and EFS certificates offline," in Proc. USENIX Workshop on Offensive Technologies, pp. 1-9, Aug. 2010.
- LastPass, "Technical Whitepaper," http://enterprise.lastpass.com, pp. 1-20, Mar. 2018.
- KeePass Password Safe, "KeePass Password Safe," https://keepass.info,Apr. 2018.
- H. Zhang, J. Hong, and J. Hu, "Analysis of encryption mechanism in KeePass Password Safe 2.30," in Proc. IEEE International Conference on ASID, pp. 1-4, Sep. 2016.
- John the Ripper suite, "keepass2john. py - Python module to extract a hash from KeePass databases," https://gist.github.com, Apr. 2018.
- Hashcat, "hashcat-advanced password recovery," http://hashcat.net/hashcat, Apr. 2018.
- Python module to read KeePass, "libk eepass - Python module to read Kee Pass files," available from https://gist.github.com, Apr. 2018.