Password managers - how safe are they really?

I know quite a few people who keep all their passwords as well as their bank and credit card info in password manager programs on their computers and smart phones and they seem to have no qualms whatsoever about the security of their information. Yet I’ve read online that password hacking software is now to the point where it can run through over a million possible passwords per second and that even a fourteen character randomized password can be brute forced in 24 hours or so.

So what I’m wondering is why a user’s password manager’s password itself can’t be hacked. This would give access to all the user’s information in one place, including their name and home and office addresses and phone numbers, all their pertinent credit card info, plus bank account access. It seems to me this would make password manager accounts prime ground for hacking activity, but no one I know seems concerned in the least about it and at least a couple of them are quite computer literate.

Like any password, they can be hacked by brute force in theory but it becomes extremely time-consuming and increasingly unlikely if you use a strong password with letters, mixed case, numbers, and special characters. Those types of passwords are not good candidates for a dictionary attack or any other type of brute force attack. The utility of password managers is that you only need to remember one complex password to gain access to all your others. Good password managers use encryption algorithms that make it virtually impossible to decipher their contents without the correct key (password) so other types of attacks against them to reveal their contents typically won’t work either.

I guess the encryption aspect is what I don’t understand. Since hacking software (I’m assuming) tries millions of random character combinations per second, cannot an encrypted password be determined just as easily as an unencrypted password containing only random characters?

For example, my email password was hacked and I was using an 8 character nonsense password that combined numbers and letters. Same with several of my friends and relatives. And these were hacked by relatively benign spammers rather than determined crooks seeking credit card and bank information.

You’re right that having all your passwords in that one basket carries a greater risk that someone could get access to ALL your information. However, I’m skeptical about your statement that a 14-character password can be brute-forced within 24 hours.

I use KeePass, and by default it re-encrypts the data 6000 times. This means that any brute force attack will take 6000 times longer, because it has to go through the decryption process 6000 times for each guess to see if it works. 6000 by the way is the default, and they recommend to set that much higher if you’re using KeePass on a PC only (if you’re using it on a mobile device, you don’t want it to take too long just to open your database).

On my PC, it recommended 450,000 times, which it picked because it corresponds to one second of compute time to open it. My database is still set to 6000 times, so that’s about one millisecond for my PC to open the database. Now let’s say that a supercomputer that a hacker might have is 1,000 times faster, so that means that the hacker could brute force try 3,600,000,000 attempts per hour. With a 14-character password that contains uppercase, lower case, numbers, and ten special characters, that would be 1E26 possible combinations, so it would take that supercomputer three trillion years to go through all those.

Now my password is not 14 random characters so the time to crack is way shorter.

Next, you have to consider that my password database is not widely available. It’s not like somebody can just access it over the Internet - they’d have to get the file from my PC or my encrypted cloud location. Basically, they’d have to come in contact with me, and this also reduces the exposure by a huge amount.

In any case, a password manager is much more secure than the way most people do it, which is having a very limited set of passwords that they use over and over at all their different sites.

Smart authentication systems will:

  1. Add an artificial delay (to prevent “millions per second” attempts)
  2. Lock-out the password if it fails too many times in a row

If you have a Windows machine at work with a password, try entering a wrong password a couple of times-- notice after the first time you can try again instantly, but after the second time you have to wait about 10 seconds? Then about 20 seconds, then about 30 seconds, etc.

Anyway, far more people get hacked because they use the same password on multiple services, and one of those services gets hacked-- once the hacker knows your password hash from service A they can look up your possible passwords for service B in a rainbow table. It’s possible in theory to brute force passwords, but if you want passwords it’s not a very efficient way to get them.

Path of Least Resistance. Otherwise known as if the both of us are out in the woods being chased by a grizzly bear I don’t have to outrun the bear, I just have to outrun you. If your tablet is stolen and it contains a password safe, how likely is it the thief is going to take the time and make the effort to try and crack your password safe for some unknown access, or just trash it and steal another one that doesn’t have a password safe? Unless the thief is part of a much larger crime organization where they can pass off the password safe for someone else to crack, it’s not worth their time.

Also don’t assume that all hackers are created equal, nor are their methods. You can read/hear all about how fast someone can crack a code but those generalized comments are often misleading. Many hacked acounts were hacked not because of the expertise of the hacker so much as the ineptitude of the owner of the account that was hacked. Many (most?) do not even spend the time to create secure passwords nor access their accounts from secure locations every time without exception.

You say your email password was hacked. How so? A personal email account at you own? A generic gmail or yahoo email account? A work account? Do you access your email from a variety of devices? Do you have personal control all the time of these devices or are they shared, or worse, use an Internet cafe for access?

I have an encrypted Flash drive (encrypted with TrueCrypt) that contains my password safe. My TrueCrypt password is more than xx characters. Same for my KeePass password safe password. Overkill you say? Define overkill when a password safe is an electronic Achilles Heel to one’s life. In my case it contains personal and work account information. For my work access we use two-stage authentication so even if you somehow managed to obtain the account and password, you still would not get in.

That’s true if you’re using the application to open it, but what if the cracking program is working on the data directly, not using the password manager’s UI? For example, KeePass is open source, so it can’t add artificial delays or lock it out. The way KeePass handles #1 is (as I mentioned a couple of posts ago) to go through the encryption a whole bunch of times, which multiplies the compute resources required. Unfortunately, there’s no way to lock it out after a number of failed attempts.

By the way, this thread has inspired me to increase my KeePass database’s number of encryptions, from 6000 to 750,000. My iPhone can still open it within about a second.

I can’t accept that your email password was cracked by brute force. With eight random numbers and letters, even if the letters are all lower-case, that’s still about three trillion combinations. Do you think that they had a program that attempted to log into your email a trillion and a half times before stumbling across your password?

I think it’s MUCH more likely that your account was hacked via a different method, like Duckster mentioned.

I don’t know to this day how it was attacked. I was using a password at the time that consisted of two lower case letters followed by four numbers followed by two more lower case letters.

I discovered the problem when I started getting messages from people asking if I’d sent the spam they’d received which was coming from my email address. I knew enough by that time to know that my account (hotmail, btw, and used fairly carelessly by the standards we’re talking about - I’d just log in from wherever I happened to be, whether my own laptop or iPhone, and/or from a public Wi-Fi hotspot when I was still using my iPod touch) had been hacked and so I went in and changed my password, which so far has solved the problem.

Most of the people I’ve known who had their email accounts hacked were operating under similar circumstances. None of us are particularly computer literate when it comes to more than merely operating operating our computers in order to do the things we want to do on them, and I doubt that it occurred to any of us to take special precautions whilst logging into our hotmail/Yahoo/gmail etc. accounts. All of us who’ve had problems have had them with our accounts on these services, and accessed I’m sure from a variety of devices and locations.

Now apart from that let me thank you all for the interesting and informative information you’ve provided. I was unaware that some of these programs employed multiple (let alone thousands) of encryptions and/or lockdowns/slowdowns in the event of several false attempts. I can see now how much time and trouble hacking into these accounts would be. Thus I’ll probably bite the bullet now and get one for myself.

If a password for an account like Hotmail was stolen, it could have been a result of an imposter site designed to look like Hotmail. Sometimes, these are paired with an e-mail that looks like Hotmail sent it - often saying something like “In order to continue using Hotmail, please click here and log in to verify your identity.” The link doesn’t go to the real Hotmail website and when you enter your password on that site, you’ve now unwittingly given it away.

This is part of why brute-forcing passwords is not very common. Most of the time, it’s easier to go phishing, where you fool people into revealing their passwords to you.

A lot of hacking of modern, encrypted passwords isn’t through brute force. I think dictionary attacks and brute force attacks are still used just because there are a lot of really shitty systems out there that continue to be vulnerable to these attacks. To someone working as an independent hacker looking to sell hacked information on the black market it can be worthwhile to try these methods.

But from what I can see, the big well known hacks seem to happen in the following ways:

  1. Social engineering. This is a term security experts will use with a bit more precision than me, but basically using a combination of “public” and “easily discernable” information about someone at X target a hacker deduces a password. You’re not protected just because you don’t have a lot of public information, a good social engineer can waltz into a site as a maintenance man or make a phone call to a secretary and use conversational techniques to get personal details about people. Then they try out a few names of worker’s children as passwords or birthdates or etc and they’re in. Good social engineering can even get you physical access to offices and such, which can mean you can take note of passwords people have written on post it notes and etc.

  2. Bypassing security. Imagine there’s a vault with the world’s most intricate, complicated tumbler lock. The best master locksmith in the world could never pick this lock in a thousand years of trying. That’s about the equivalent of top shelf encryption these days, it’s very difficult to impossible to brute force. But imagine this lock is seated in the door of the vault with four standard flat head screws. Take a standard flathead screwdriver and you can unscrew the lock and remove it from the door, then you have direct access to the inner workings of the vault door which allow you to easily open it. Real vaults would never designed that way. It’s akin to spending $100,000 on a lock for a cardboard box.

In the technology world, there are lots of situations akin to this. Most major companies use all the best industry standard encryptions, but the morons who developed their corporate websites left them vulnerable to SQL injection attacks, various scripting attacks like cross-site scripting etc that allows someone who has the right tools (“the screwdriver”) to get through your security by not even needing to get through the authentication system or know any password or crack anything. I believe Sony, when it was famously hacked either last year or the year before, it all started with a SQL injection vulnerability on their website. Sony was certainly using all of the industry standard security techniques, but it was all housed in a poorly designed web application that could be easily breached with SQL injection.

I think probably 75-90% of the Anonymous and LulzSec hacks I read about involve SQL Injection, a technique college professors have taught students about since at least the 1990s and that is so widely known even non-technical people like myself is aware of it and even some of the fundamentals of how it works.

  1. Keyloggers. A keylogger is just a malicious script or program that gets onto your computer (this can happen just by browsing to a website that runs a script that puts a keylogger on your computer, often through known exploits in your browser’s security that are only rectified through patches and keeping up to date), it records every keystroke you make and periodically sends this data back to the originator. You can be putting your passwords all into a pretty well protected password manager like KeePass or LastPass but if a keylogger can just record your plaintext passwords there’s really no protection at all. Keyloggers are probably one of the most common techniques used to hack “ordinary people.”

One of the best ways to defeat keyloggers is to utilize the features in programs like KeePass that allow you to enter passwords using the copy/paste functionality so you aren’t directly entering passwords. For important accounts it’s good if the entity you have an account with offers an RSA type two-factor authentication tool–that protects you even if someone knows your password and user ID because it is functionally impossible to get into your account without the physical RSA tool.

  1. Phishing. Someone sends you a phony email link to a website that looks really similar to your bank’s website or something, you enter your login information thinking you’re logging in to your bank but instead you’ve just given a hacker your credentials for your banking website.

Not arguing whether you were or were not hacked, but remember that SPAM mail appearing to come from your address does not necessarily imply you have been hacked. It could also mean someone has been forging mail headers.

Good point, Canadjun, although in my case I feel fairly certain that the account itself had been hacked as the rogue emails stopped once I changed my password.

And Martin, thanks to your too for your very informative post. All you guys have given me insight into key aspects of encryption security that I wasn’t aware of and I appreciate your taking the time and trouble to do so.

Just a little quibble: The program wouldn’t have to go through all trillion and a half combinations. It could stop trying when it hit the right combination. If they were really lucky, they could stumble upon it after two or three tries (in which case, their time could be better spent playing the lotto). If it were known that they wouldn’t stumble upon the right combination until try number 1.5 trillion, they could just skip the first 1.499999999 trillion combinations and just go right to the last one.

You are correct in a sense. It’s the size of the password that matters here, not the strength of the encryption. But you’re underestimating the scope of the problem.

Let’s say you can brute-force millions of attempts per second. And the target password is 14 random lowercase letters, no punctuation or numbers. It’ll still take you a trillion years or so to brute-force that one password.

Martin Hyde is spot on. Brute forcing is almost never the attack vector. There are many other methods that are (literally!) trillions of times more efficient.

Most email hacks do not try to brute force the password on your email account (incredibly impractical). Instead, they use one of the following methods:

  1. Compromise a less secure website where you would have an account. Try every email & password from this website, send spam from all accounts where this works. Requires you to have used the same password on a different website. By far the most common. Password safes mitigate this type of attack by making is easy to use a different, complex password on all websites.

Edit to add: there is often brute forcing involved in #1 - often the passwords stolen are hashed, and thus you need to attempt to find the passwords using whatever hash function the site used. A long enough & complex enough password can help here if the site used a secure enough hash function - the attackers won’t generally get passwords not based on dictionary words/not short enough if that is the case because it would just take too long.

  1. Keylogger or other interception when typing your password on a compromised system. Could be malware on your computer, malware on a public computer like at the library, or accessing an account with the same email & password without using encryption over public wifi or on a public network.

  2. Reset your password using easily discoverable “personal” information via web searches, facebook, etc. Some webmails allow you to reset the password & access your account using what amounts to a second set of way less secure passwords such as “what is your mother’s maiden name” and “what was the name of your first pet ?”. It is no accident that some of the stupid “poll” apps on facebook ask basically the same set of questions.

I had noted that there were three trillion possible combinations, so as a rough guess it’s reasonable to think you’d have to get halfway through (1.5 trillion of them) before stumbling across the right one. Sure, it’s possible to stumble across it on your first try, but the halfway-through estimate gives you a good order of magnitude of the problem.

Also depends on where they were used. If you’re using your email on a phony “free wifi” in a public place, especially an airport, you’re leaving yourself wide open to having your information stolen. My parents went through this. Trusted a ‘free wifi’ network in an airport in Europe. Father’s email password and contacts (from that email) stolen. We all got phony “Help we’re trapped in a hotel until you send us money!” emails.

That was three years ago, and we still occasionally get false-flag emails spoofing one another’s email addresses asking us to click on links (that cause our virus scanners to start screaming).

So they didn’t necessarily need to brute force hack your email password. They just needed you to use it over a phony wifi network, or listen in to the traffic when you used a public network.

Slight digression: Are passwords and such still being broadcast unencrypted when you log in over an ssl connection? Or is this done through a man-in-the-middle attack?

It depends. Check your email settings – if you’re using port 25 for SMTP (outbound) and port 110 for POP3, the likelihood is you’re sending your mail credentials unencrypted.

There will be a setting that says something like “Use SSL” and if your ISP supports that, you should be using it.