Macpass: Defend memory attacks

Created on 25 Feb 2019  Â·  7Comments  Â·  Source: MacPass/MacPass

As researchers found out the last days, modern password managers are able to be attacked as they store the master password decrypted in the memory (when closing / locking)

You all heard the security news, so are there steps to fix this issue in MacPass in the next release?

Thanks for all the work @mstarke , really like your modern and solid password safe.

Most helpful comment

I have not tried to dump MacPass' memory and search for strings of passwords in it. MacPass stores all sensitive data as 1-time-pad xored bytes in memory. If an attacker can gain access to the process memory, dump it, find the xored and the pad data in memory it is possible to retrieve the password. As for the master password, the password is never stored anywhere. Only the hashed value that is the starting point for the key derivation function is stored in memory and it is xored with a 1-time-pad as well. I'm a bit sceptical on those attacks. I cannot make any assumtions on strings that are displayed in the UI and their storage. MacPass uses NSSecureTextField to leverage the highest security from the framework. If a malicious software is able to dump you memory it surely is able to log your keyboard and a million other things so I consider a system where an attacker can access process memory compromised in every possible way…

All 7 comments

Haven't heard of this but I'm concerned - do you have a link to an article about it?

https://www.securityevaluators.com/casestudies/password-manager-hacking/

I believe they are referring to this article. However, this is specific to windows. However, I am curious is macpass has similar issues on the Mac side. Of course I use both 1Password and Macpass.

It sounds like this flaw is Windows only (until other evidence reveals the same issue in MacOS / Linux) - it's probably to do with the way that things are stored in memory in Win10, rather than a problem with Keepass architecture across all platforms.

No password manager is perfect - however I imagine doing stuff like 2FA / keyfiles reduces the chance of these attacks being successful.

I have not tried to dump MacPass' memory and search for strings of passwords in it. MacPass stores all sensitive data as 1-time-pad xored bytes in memory. If an attacker can gain access to the process memory, dump it, find the xored and the pad data in memory it is possible to retrieve the password. As for the master password, the password is never stored anywhere. Only the hashed value that is the starting point for the key derivation function is stored in memory and it is xored with a 1-time-pad as well. I'm a bit sceptical on those attacks. I cannot make any assumtions on strings that are displayed in the UI and their storage. MacPass uses NSSecureTextField to leverage the highest security from the framework. If a malicious software is able to dump you memory it surely is able to log your keyboard and a million other things so I consider a system where an attacker can access process memory compromised in every possible way…

If a malicious software is able to dump you memory it surely is able to log your keyboard and a million other things

This caught my attention - not being a security expert I am wondering, if you used a keyfile in conjunction with a text password, would that defend against keyloggers? (presuming you kept your keyfile somewhere off the system eg. USB drive)

I can only guess that it makes key logging harder but on the other hand, it's access is simpler since an attacker can simply obtain the file and use it so it's actually easier than key-logging.

Was this page helpful?
0 / 5 - 0 ratings