Explore the security vulnerabilities of popular password managers in this 41-minute RSA Conference talk. Dive into the intricacies of how master passwords and stored secrets are handled during different states of password manager operation, including when logged out or locked. Examine the anatomy of password managers, their workflow, and terminology. Analyze security guarantees in various states such as "Not Running" and "Running:Unlocked." Witness demonstrations of attacks on password managers in different states, including a specific demo attack on 1Password in the "Running:Locked" state. Learn about a Windows bug discovery affecting LastPass and its mitigation. Gain insights into applying this knowledge for improved security practices and understand the implications for future password manager development.
Extracting Secrets from Locked Password Managers
Overview
Syllabus
Intro
Agenda
Background
Password Manager Research Timeline
Anatomy of a Password Manager
Workflow Overview
Password Manager Terminology
Password Manager States
"Not Running" State Security Guarantees
"Running:Unlocked" State Security Guarantees
Attacks on "Not Running" Password Managers
Attacks on "Running:Locked" Password Managers
Demo Attack - Running:Locked (1Password)
Windows Bug Discovery
LastPass (Windows bug mitigation)
Mitigation is helpful (for us)
Attacks on "Running:Unlocked" Password Managers
Attacks on "Running:Unlocked" Summary
Apply What You Have Learned Today/Going Forward
RSAConference 2020
Taught by
RSA Conference
Related Courses
-
Session Identifier are for Now, Passwords are Forever - XSS-Based Abuse of Browser Password Managers
-
The Emperor’s New Password Manager - Security Analysis of Web-based Password Managers
-
Tailored, Machine Learning-Driven Password Guessing Attacks and Mitigation
-
IPC - The Broken Dream of Inherent Security
-
Why People - Don't - Use Password Managers Effectively
