42
votes
Over fifteen million passwords were temporarily inaccessible in Chrome's password manager
Link information
This data is scraped automatically and may be incorrect.
- Title
- Chrome's password manager recently swallowed over 15 million passwords
- Authors
- Author: Laura Pippig
- Word count
- 305 words
Yeah I dunno about this particular advice. Password managers hold the keys to our proverbial kingdoms. I don't think there’s a lot of wisdom in having duplicates of that data floating around. If you’re trusting one solution to keep your passwords safe, and that solution is compromised, you’re going to have a lot of headaches… but if you add a second password manager into the mix you’re doubling your risk. Not to mention the added hassle of keeping the data in both concurrent.
It makes more sense to keep regular incremental backups of your password manager vault, local and encrypted. That way you can restore it if you need it, without exposing yourself to additional risk.
Another big issue that has been nagging at me but few seem to talk about is the ability to recover from a total loss, for example a house fire without time to take your phone with you.
I use Authy for 2FA and Keepass/Strongbox for my password databases. If I lost my laptop, iPad, and phone in a fire I'm not even sure I could get into any of my accounts, especially those that don't use SMS as a 2FA method (understandable, just harder to recover from). I've considered a safe deposit box with copies of my 2FA backup codes and my password database files, but my local bank doesn't even offer them anymore. I don't know how I'd recover from such a loss.
Offsite, offsite, offsite. Put the recovery data you need (whether that's recovery codes, a copy of your password database, whatever) in a file, encrypt it with gpg¹, burn it to an archival quality CD², and give it to a friend to stash on a bookshelf or something. (Discs are cheap, so do this more than once.) The great thing about data security is that you don't really need to rely on physical security to keep your backups safe; modern, freely-available encryption works.
I'm starting to consider planning data continuity for my own death, and let me tell you, that's a lot thornier. =P I need my family not to get locked out of important accounts that I hold the keys for if I'm incapacitated, but also for those accounts to ideally remain secure, which is an… interesting tension in requirements.
¹ Yeah, yeah, gpg has a reputation, which it definitely has earned. But for this purpose, it's actually very straightforward to use (on the commandline): generate your keys, then
gpg -e <filename>to encrypt andgpg -d <filename>.gpgto decrypt. With an adequately secure passphrase on your private key, this gives you national-security level encryption.² Ha! This is a joke. Nobody sells burnable CDs anymore. Instead, burn your several kilobytes of recovery data to a 4.7GB DVD. Seriously, though, burned archival-quality optical media is the way to go; durability of flash in offline storage is suspect, and while you can theoretically store hard drives offline, that's (a) very expensive, and (b) they're delicate mechanical devices which can easily get damaged, and you won't know until you plug them in to try to recover data.
I'm thinking an encrypted file with a memorized password containing the most important recovery details that I share with my adult son and daughter on a cloud service like Google Drive or Dropbox. I'm afraid that any physical off-site backups wouldn't get updated often enough.
I feel like at a minimum it should contain the password and backup 2FA codes for my email and the cloud provider I use to sync my Keepass databases, as well as the keyfile for those Keepass databases. Snapshots of some of the other stuff (such as those KP DB files) could also be useful, knowing that they're likely to get out of sync over time and need to be periodically updated.
The problem would be if I were also to have some kind of amnesia event (e.g. head injury in a card accident) and forget the backup password -- that's where the continuity of access that you mention comes in.
I started a project a few years ago that would allow me to hand over access to my important data to loved ones if I ever become incapacitated. The basic idea is that the tool encrypts an arbitrary blob of data, like a zip file, using an implementation of Shamir’s Secret Sharing.
At the time of encryption, you can generate as many keys to the data as you want, and specify a threshold representing the minimum number of keys that must be present to decrypt it. Then you distribute the keys along with copies of the encrypted file to the trusted people in your life. So for example, a key for each parent, each sibling, my spouse, and each of my kids. I love ‘em all but I’d still set the threshold to, say, 4 to prevent anyone from snooping before it’s time. Then I’d give myself 7 or 8 keys (redundancies galore) and scatter them in different secret places like a USB drive on my keychain, a file hidden in my VPS, a paper printout in a safety deposit box, that sort of thing.
Anyway, I’d link to the GitHub repo if I ever finished the thing, but I got busy and backburnered it. I still think it’s a solid idea and one of these days I’ll finish the job and release it to the masses. I’m mentioning it here because, in addition to helping my family recover my stuff in an emergency, it could also serve as a nifty distributed data recovery thing for me while I’m still alive. Lots of potential uses for something like that besides its stated purpose.
Do you have someone that you are on good terms with that you could leave a copy with rather than going through a deposit box?
I just keep mine in dropbox (encrypted), but synology NAS have a feature where they will sync backups to someone else's NAS, if that's more to your liking.
I have a fire safe in my house with some printed passwords and MFA recovery keys and an extra yubikey that can get into my password manager.
There was a good short story I think on tildes a year or 2 ago about how someone got locked out of their digital life after a house fire. If anyone remembers this please reply with the link!
Edit: I found it https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my-digital-life/
Wow, exactly what I was fearing -- definitely an inspiration to start thinking of backup plans.
Do you have any friends who can keep encrypted copies for you? This is what I and some of my family members do. We can't access each other's passwords because the files are encrypted, but we can still physically get the files to each other if need be.
I use Yubikeys. One on me, one at home, one with family. It's easier to replicate Yubikeys than have multiple phones.
I also have paper backups too, just in case.
That might not be a bad solution as a backup for some sites that support it. I had a few YubiKeys years ago, but few sites supported them, only some browsers supported them, and I couldn't use them on my phone -- so since I had to use something else like TOTP anyhow I just stopped using them. Maybe I'll look to see how the landscape has changed.
I use KeePass, and I feel relatively confident with that. All my passwords are in an encrypted file, which I can read and write to using the KeePass software located on my device. I don't really feel comfortable using a cloud-based option (other than keeping copies in cloud-based storage as backup and for ease of access on different devices) because I'm paranoid about data leaks, automatic updates that break things, or my account somehow getting closed and my access cut off.
That being said, I do let my phone browser remember some passwords for the sake of convenience, but only for sites that I am willing to risk having my account compromised. I will absolutely not do this for sites that are critical (like email), that have any of my financial data (like shops), or that have any of my private data (like social media sites that have ties to my real identity).
The better advice is to not use a password manager that someone else can accidentally fuck up for you so easily with no possible recourse. If your LastPass or 1Password or Google account has a backend problem, or a bad software update breaks something and deletes your stuff, there is often nothing you as a user can do to recover your data.
A KeePass database does not come with these risks. It's easy to make backups, mine are automated and I can revert to any version of my database from the last month. So even the worst case scenario of my chosen client getting a faulty update that corrupts the database, I can still pull the most recent backup and keep going on my way.
...also, isn't the password manager in Google Chrome the one that's famously insecure in comparison to other password managers? I seem to recall hearing about them storing passwords in plaintext at one point in time, but maybe I'm misremembering.
This 2008 chromium feature request points to it always having been encrypted at rest:
Yeah I mean that makes sense, I assume I'm half-remembering some sort of exploit I heard about in the past.
There was (is?) something similar with stealing cookies from chrome: https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
With any account, there are two kinds of security risks:
You need to guard against both, and for many people, somehow getting locked out is more likely, because people lose stuff, forget things, and use computers that break.
For many of us, the risk of someone else breaking in is largely about remote access. That’s because anyone in the world could try it, but there are far fewer people who could break in to your house. A local copy of your passwords on paper in a safe is pretty good, though there are specific risks it’s not good for like home robbery or fire.
People who are traveling or in group living situations have to worry more about local theft, though. You do want your phone to lock if it’s stolen.
Regarding this particular incident, Chrome automatically syncs passwords between computers if you log into the same Google account, so if you had it on your phone as well as your Windows computer, you’d still be okay if the Windows box stopped working. Not having your passwords on only one OS is enough to avoid OS-specific problems.
But there’s another risk worth considering: what you somehow lose access to your Google account? I think I’ve guarded pretty well against locking myself out, but Google does sometimes lock an account if they think there’s a problem with abuse. I don’t think I’d lose access to my passwords on logged-in devices, but wouldn’t want to rely on it. A non-Google backup eliminates that risk.
There are a lot of different kinds of threats to guard against and no one solution guards against all of them. When talking about the risks, though, it helps to consider each scenario separately.
Not a native speaker but doesn't "swallowed" make it sound like it permanently lost those passwords instead of it being an outage?
I am a native speaker and also had this impression!
I updated the title to be more precise. I hope it's better now.
Oh, thanks, it is! You didn't have to, though. The original title is a clickbait I guess.
Been meaning to set up a self hosted password manager for more than a few years now and this news reminded me. I didn't like most of the options when I first started looking but I found Vaultwarden after searching today (Bitwarden server reimplemented in rust without the MS SQL requirement). There is a docker container that is simple enough to setup up and it and seems to work decently well. Just moved all my passwords over from Chrome and will have to see how it works after a few weeks. Looks like it stores everything with SQL lite so existing server file backups should keep the password vaults safe.
The only issue with that I find, let’s say I haven’t gotten an offline database from my valtwarden. What can I do at that point?
My solution has been keepass, then syncing the offline database on Google drive or Dropbox, then I use it on my desktops with keepassx, or regular keepass manager, and KeePassium on iOS, there are a lot of options on android as well.
They all sync together, and I don’t have to worry about my server not being reached.
Most (maybe all?) bitwarden apps and extensions do keep a local encrypted copy of all your data, and only periodically sync changes to/from the server. For example if you have the Bitwarden app on your phone synced and the server vanishes, you can still access all your passwords on the phone--you just can't read or write any changes against the server's copy until the server comes back online. I also use the Bitwarden extension for Firefox and it seems to work the same way.
I havent looked at KeePass since like 2012. Used it for small buisness password sharing on a network share back then. I'll keep it in mind if vault warden dosent work out. As Rudism stated it seems like the client devices do keep a local copy.