this post was submitted on 20 Jun 2023
7 points (100.0% liked)

Technology

5 readers
1 users here now

Computers, phones, AI, whatever

founded 1 year ago
MODERATORS
 

Lately I've been increasingly worried about corrupted payloads of even open source password managers. Password managers are among the world's biggest honeypots. Maybe you trust the coders of the password manager. Maybe it's Open Source. But do you trust all of its upstream dependencies? And all their CI build processes? And each of their developers' security?

That's part of why I won't use an Electron-based password manager like BitWarden: there's no Electron app with a minimal dependency graph. Even Electron itself could easily fall victim if someone important in the development pipeline is compromised... And besides, Electron sucks anyway.

So, one way I can mitigate against the possibility of a malicious payload being delivered on password manager update is to not put all my eggs in one basket. For example, where I can, I authenticate with a Yubikey (if only by TOTP on Yubico Authenticator). Then my password isn't enough. But where do I store the recovery codes? Ugh: in the password manager.

I've been thinking on this for a while, and I haven't really found a perfect solution that provides me a way to store secrets without also being too reliant on one party's software. If I rely heavily on the password manager, that puts too much trust in it. If I rely more on a hardware token, that's too risky in case of loss of theft.

What's a security-aware nerd to do?

you are viewing a single comment's thread
view the rest of the comments
[–] pcouy@lemmy.pierre-couy.fr 1 points 1 year ago (1 children)

If you're really paranoid about this kind of stuff, you can look into using QubesOS. It uses Xen ("bare-metal" hypervisor) to isolate software from each other, and their docs is pretty good.

You could run an offline password manager from an offline VM and use Qubes' inter-VM clipboard.

[–] bouncing@partizle.com 2 points 1 year ago (1 children)

A coworker of mine uses Qubes to login to dating sites. He's probably an interesting date.

Honestly, the computer also being compromised hadn't occurred to me, but it could certainly happen. If you really want to expand out in that direction, you could even consider a hardware password manager.

[–] pcouy@lemmy.pierre-couy.fr 1 points 1 year ago (1 children)

I did not mention it with relation to a compromised computer, but wrt a compromised supply chain for the password manager.

Imagine your password manager suddenly turns malicious and tries to exfiltrate your secrets. If it is running in a VM that does not have access to the internet, its attempts to send your passwords to the bad guys are useless unless they have a VM escape exploit. I consider it a massive upgrade to your security game

[–] bouncing@partizle.com 2 points 1 year ago (1 children)

That's a good point. You wouldn't have to trust a password manager nearly as much if you contain it in a VM.

[–] pcouy@lemmy.pierre-couy.fr 1 points 1 year ago

That's the whole point of QubesOS : you don't have to trust any specific software if they each run in their own VM.

It's a bit more complicated than that, since you probably want to be able to use a given file with different software (for instance, download a document from your browser, edit it with LibreOffice, and send it as an attachement with a mail client). It's the usual security vs usability tradeoff. You never completely get rid of it, but QubesOS has a lot of neat features that make is easier to understand and decide which software you trust with which data