Browse > Article
http://dx.doi.org/10.13089/JKIISC.2018.28.5.1047

Security of Password Vaults of Password Managers  

Jeong, Hyera (Sogang University)
So, Jaewoo (Sogang University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.28, no.5, 2018 , pp. 1047-1057 More about this Journal
Abstract
As the number of services offered on the Internet exponentially increases, password managers are increasing popular applications that store several passwords in an encrypted database (or password vault). Browser-integrated password managers or locally-installed password managers store the password vault on the user's device. Although a web-based password manager stores the password vault on the cloud server, a user can store the master password used to sign in the cloud server on her device. An attacker that steals a user's encrypted vault stored in the victim's device can make an offline attack and, if successful, all the passwords in the vault will be exposed to the attacker. This paper investigates the vulnerability of the password vault stored in the device and develops attack programs to verify the vulnerability of the password vault.
Keywords
Password Manager; Password Vault; Vulnerability Analysis; Password Decryption; Password Attacks;
Citations & Related Records
연도 인용수 순위
  • Reference
1 M. Golla, B. Beuscher, and M. Durmuth, "On the security of cracking-resistant password vaults," in Proc. ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1230-1241, Oct. 2016.
2 R. Chatterjee, J. Bonneau, A. Juels, and T. Ristenpart, "Cracking-resistant password vaults using natural language encoders," in Proc. IEEE Symposium on Security and Privacy, pp. 481-498, May 2015.
3 S. Huber, S. Arzt, and S. Rasthofer, "Extracting all your secrets: Vulnerabilities in android password managers," Hack In The Box Security Conference, pp. 1-50, Apr. 2017.
4 S. Huber, S. Rasthofer, and S. Arzt, "Bypassing android password manager apps without root," DEF CON, pp. 1-58, Jul. 2017.
5 Z. Li, W. He, D. Akhawe, and D. Song, "The emperor's new password manager: Security analysis of web-based password managers," in Proc. USENIX Security Symposium, pp. 465-479, Aug. 2014.
6 X. Li and Y. Xue, "A survey on server-side approaches to securing web applications," ACM Computing Surveys, vol. 46, no. 4, pp. 1-29, Apr. 2014.
7 D. Silver, S. Jana, D. Boneh, E. Chen, and C. Jackson, "Password managers: Attacks and defenses," in Proc. USENIX Security Symposium, pp. 449-464, Aug. 2014.
8 M. Blanchou and P. Youn, "Password managers: Exposing passwords everywhere," Whitepaper, iSEC partners, pp. 1-6, Nov. 2013.
9 K. Bhargavan and A. Delignat-Lavaud, "Web-based attacks on host-proof encrypted storage," in Proc. USENIX Workshop on Offensive Technologies, pp. 1-8, Aug. 2012.
10 SQLite, "DB Browser for SQLite," http://sqlitebrowser.org, Mar. 2018.
11 NAI Labs, "Windows Data Protection", https://msdn.microsoft.com/en-us/library/ms995355.aspx, Oct. 2001.
12 E. Burzstein and J. M Picod, "Recovering windows secrets and EFS certificates offline," in Proc. USENIX Workshop on Offensive Technologies, pp. 1-9, Aug. 2010.
13 LastPass, "Technical Whitepaper," http://enterprise.lastpass.com, pp. 1-20, Mar. 2018.
14 KeePass Password Safe, "KeePass Password Safe," https://keepass.info,Apr. 2018.
15 H. Zhang, J. Hong, and J. Hu, "Analysis of encryption mechanism in KeePass Password Safe 2.30," in Proc. IEEE International Conference on ASID, pp. 1-4, Sep. 2016.
16 John the Ripper suite, "keepass2john. py - Python module to extract a hash from KeePass databases," https://gist.github.com, Apr. 2018.
17 Hashcat, "hashcat-advanced password recovery," http://hashcat.net/hashcat, Apr. 2018.
18 P. Gasti and K. B. Rasmussen, "On the security of password manager database formats," in Proc. European Symposium on Research in Computer Security, pp. 770-787, Sep. 2012.
19 Python module to read KeePass, "libk eepass - Python module to read Kee Pass files," available from https://gist.github.com, Apr. 2018.
20 J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes," in Proc. IEEE Symposium on Security and Privacy, pp. 553-567, May 2012.