Password Managers (KeePass)

Why You Should Use a Password Manager

  • You don’t need to remember hundreds of passwords
  • You only need to remember one master password
  • You can have different passwords for different websites and don’t need to worry about forgeting them
In-browser based Commercial based
Google Chrome alt text Dashlane alt text
Mozilla Firefox alt text Keeper alt text
Safari alt text 1Password alt text
Microsoft Edge alt text KeePass alt text

Password Managers Workflow

Difference between automatic autofill and manual autofill

Automatic Autofill:
  • Does not wait for user interaction
  • One click: submit button
  • Vulnerable to vatious sweep attacks
    Manual Autofill:
  • Wait for user interaction
  • Two clicks: select correct account + submit credential
  • More secure

Threats, Attacks and Defences

Redirect Sweep Attacks
  • Resirect sweep attack is only gainst automatic autofill password managers. When a taget user connect to a wifi hotspot that is controlled by an attacker, the attacker will trick the password manager to fillin the password and send the password back to the attacker.[2]
  • Defence:
  • An attacker inject JavaScript code to login page then the program gets credentials and send back to the attacker.[3]
  • Defence:
    • Explicit user interaction to trigger fill-in action
    • URL matching and form matching
      Other Attacks
  • iFrame sweep attack
  • Window sweep attack
  • Attack amplification via password sync

Keepass Password Safe

download KeePass KeePass Password Safe is a free, open sourcem light-weight password manager.[4]

Why use Keepass
  • Third party tool
  • Manual autofill (secure)
  • Free and open-source
  • Strong compatibility (it primarily used in Windows devices, but it supports all Operating Systems like Mac, IOS, Android, Linux)[5]
  • Lightweight (it wouldn’t occupy many memory of your device)
  • Easy to use (it has clear User Interface, so it would be easy-to-manage even for the beginner)
    How does Keepass work
  • The KeePass stores all the passwords in a database file, which is locked with a master key. [4]
  • The database file is encrypted using the best and most secure encryption algorithms, which are AES and Twofish.
  • KeePass uses SHA-256 to hash the master key components.
    Encryption algorithms
    AES

    alt text

  • It uses symmetric block cipher (same key for both encryption and decryption)
  • It proved to be useful to protect sensitive data
    • National Security Agency (NSA) utilize AES encryption to protect their sensitive information [6]
    • Many governments and institutions are using AES to protect their data [7]
  • It hard to brute force, since it accepts key sizes more than 128 bits
    Twofish

    alt text

  • It uses symmetric block cipher (same key for both encryption and decryption)
  • It Trade-offs between key-setup time and encryption speed that make it unique among the AES candidates [8]
  • There have been a few attacks on Twofish. However, It did not constitute a true cryptanalysis [9], according to its creator, Bruce Schneier.
  • It hard to brute force. Similar to AES, since the TwoFish supports key sizes of more than 256 bits, it is resistant to brute force attack[10]
    SHA-256

    alt text

  • SHA-256 is a patented cryptographic hash function
  • It is a keyless hash function that takes information and generates random characters with length 256 bits [11]
  • It is almost impossible to reconstruct the initial data from the hash value.
    • A brute-force attack would need to make 2256 attempts to generate the initial data. [12]
  • It is unlikely to have two same hash value of two inputs.
    • With 2256 possible hash values, the likelihood of two being the same is infinitesimally, unimaginably small. [12]
  • The avalanche effect.
    • A minor change to the original data will make its hash value change a lot. So two similar inputs will not likely generates similar hashed output through AHS-256.
      KeePass Demo
  • How to use KeePass

References

[1] D. Balaban, “Comparing In-Browser-Based, Commercial Password Managers,” eWEEK, 18-Feb-2021. [Online]. Available: https://www.eweek.com/search-engines/comparing-in-browser-based-commercial-password-managers/. [Accessed: 03-Mar-2021].
[2]D. Silver, S. Jana, and D. Boneh, “Password Manager: Attacks and Defenses,” 23rd USENIX Security Symposium, Aug 20 - 22, 2014.
[3] “Preventing XSS Attacks through CSS Whitelisting,” Powered by MediaWiki. [Online]. Available: https://www.mediawiki.org/wiki/Preventing_XSS_Attacks_through_CSS_Whitelisting. [Accessed: 03-Mar-2021].
[4]D. Reichl, KeePass Password Safe. [Online]. Available: https://keepass.info/. [Accessed: 03-Mar-2021].
[5]“Managing my passwords with KeePass and OwnCloud,” Managing my passwords with KeePass and OwnCloud | Gabriel’s Tech blog. [Online]. Available: https://www.detassigny.net/posts/3/managing-my-passwords-with-keepass-and-owncloud. [Accessed: 03-Mar-2021].
[6] M. from R. Thomas, R. Thomas, Eyal Gruner | 3 days ago, Kyle Marchini | 4 days ago, Y. E. | F. 23, Richi Jennings | 1 day ago, R. J. | F. 22, and R. J. | F. 19, “Advanced Encryption Standard (AES): What It Is and How It Works,” Security Boulevard, 24-Apr-2020. [Online]. Available: https://securityboulevard.com/2020/04/advanced-encryption-standard-aes-what-it-is-and-how-it-works/. [Accessed: 03-Mar-2021].
[7] M. Cobb, “What is AES Encryption and How Does it Work?,” SearchSecurity ,17-Apr-2020. [Online]. Available:https://searchsecurity.techtarget.com/definition/Advanced-Encryption-Standard#:~:text=TheAdvanced Encryption Standard (AES,cybersecurity and electronic data protection.[Accessed: 03-Mar-2021].
[8]B. Schneier, Schneier on Security. [Online]. Available: https://www.schneier.com/academic/archives/1998/12/the_twofish_encrypti.html. [Accessed: 03-Mar-2021].
[9]S. Encrypt, “Twofish Encryption: What Is It?,” Choose To Encrypt, 07-Mar-2019. [Online]. Available: https://choosetoencrypt.com/tech/twofish-encryption/. [Accessed: 03-Mar-2021].
[10]D. Miladinović and R. R. Rosario, “Twofish vs AES Encryption,” Cloudstorageinfo.org, 22-Dec-2020. [Online]. Available: https://cloudstorageinfo.org/twofish-vs-aes-encryption. [Accessed: 03-Mar-2021].
[11]“SHA-256 Algorithm Overview,” Solarwinds MSP, 26-Jan-2021. [Online]. Available: https://www.solarwindsmsp.com/blog/sha-256-encryption#:~:text=SHA-256 is a patented,that is 256 bits long.&text=In cryptographic hashing, the hashed,its original 512-bit form. [Accessed: 03-Mar-2021].
[12]f4tca7, “Introduction to the SHA-256 hash function,” Steemit. [Online]. Available: https://steemit.com/cryptocurrency/@f4tca7/introduction-to-the-sha-256-hash-function. [Accessed: 03-Mar-2021].