Horcrux Is a Password Manager Designed for Security and Paranoid Users

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9293
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Horcrux Is a Password Manager Designed for Security and Paranoid Users

Post by Moogle Stiltzkin » Tue Jul 11, 2017 12:48 pm

Two researchers from the University of Virginia have developed a new password manager prototype that works quite differently from existing password manager clients.
The research team describes their password manager — which they named Horcrux — as "a password manager for paranoids," due to its security and privacy-focused features and a unique design used for handling user passwords, both while in transit and at rest.

There are two main differences between Horcrux and currently available password manager clients.
Horcrux inserts dummy credentials into your forms

The first is how Horcrux inserts user credentials inside web pages. Regular password managers do this by filling in the login form with the user's data.
Hannah Li and David Evans, the two researchers that created Horcrux, say this is a dangerous behavior because password managers insert user credentials inside a page's DOM, which exposes credentials to malicious JS scripts that can read those credentials while inside the forms, before submission.

The two say they fixed this attack surface in Horcrux by inserting dummy (fake) credentials inside login fields. When the user submits his form, the dummy credentials are still there, but Horcrux will intercept the form submit operation (HTTP POST request) and replace the dummy credentials with the user's real username and password combo.

Researchers admitted that this idea is not new, as other researchers proposed the same solution in the past, but that solution was not adopted by the developers of password managers due to usability and compatibility concerns.

This time around, the research team says they tested their technique to be sure it works without glitches and found that 98% of the Alexa Top 1 Million sites that feature login forms are compatible with their "dummy credentials swap."

Horcrux spreads credentials across multiple servers

The second feature that makes Horcrux stand out compared to other password manager clients is how it stores user credentials.

Compared to classic solutions, Horcrux doesn't trust one single password store but spreads user credentials across multiple servers. This means that if an attacker manages to gain access to one of the servers, he won't gain access to all of the user's passwords, limiting the damage of any security incident.

Furthermore, credentials stored across these multiple servers are secret-shared using a cuckoo hashing algorithm "in a way that ensures an attacker cannot determine if a guessed master pass-

word is correct," which greatly limits an attacker's ability to recover any password data, even if he manages to compromise one of the many password-storing servers.

The new Horcrux password manager is currently available only as a Firefox add-on that can be compiled from this open-source GitHub repo. The downside is that users have to host their own password-storing servers in order to use Horcrux, something that many users can't afford. Nonetheless, the license permits companies that run password managers to take their design or code and use it for their own professional solutions.

More details about the Horcrux design and implementation are available in the research team's paper, entitled "Horcrux: A Password Manager for Paranoids."

Article source



The concept does sound interesting, and i'm sure if someone wants to go the extra mile they'll get the added protection.

But most people keepass using chromeipass suffices.

From Youtube.com
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

User avatar
schumaku
Guru
Posts: 43664
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Horcrux Is a Password Manager Designed for Security and Paranoid Users

Post by schumaku » Tue Jul 11, 2017 2:10 pm

One of the reasons why _all_ the Web Form based login used in favour over the classic Web Basic Auth (updated as RFC7235 in 2014) s***s. Or even better forget this username password garbage and migrate to client auth certificates. All this would play outside of the reach for JavaScript. But coloured Web pages with logins it "looks" better - and this is blinding managers and users.

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9293
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Horcrux Is a Password Manager Designed for Security and Paranoid Users

Post by Moogle Stiltzkin » Tue Jul 11, 2017 2:47 pm

schumaku wrote:One of the reasons why _all_ the Web Form based login used in favour over the classic Web Basic Auth (updated as RFC7235 in 2014) s***s. Or even better forget this username password garbage and migrate to client auth certificates. All this would play outside of the reach for JavaScript. But coloured Web pages with logins it "looks" better - and this is blinding managers and users.


added to faq
viewtopic.php?f=45&t=133965&p=625582#p625582


however do keep in mind

We reported back in June 2016 that KeePass, a popular password manager, was getting a security audit by the European Commission's EU Free and Open Source Software Auditing project (EU-FOSSA).

EU-FOSSA is a pilot project to create a formal process for contributing software security reviews to open source communities.
The project created an inventory of open source solutions used by the Commission, published studies into the security practices of 14 open source communities, and reviewed two popular open source solutions.

KeePass is a password manager created for Windows -- also working on Linux -- that uses a locally stored encrypted database.
The program ships with an impressive list of options. You can enable a global login shortcut for instance, or improve security of KeePass by modifying settings.

The password manager supports plugins and forks thanks to its open source nature. Plugins enable users to extend the program's functionality, for instance by integrating it in web browsers or synchronizing the database using online storage providers.

Image

Closing Words

KeePass is an excellent, secure, password manager for Windows. The results of the code audit suggest that it is a well designed program with no critical or high risk issues.

Full article
http://www.ghacks.net/2016/11/22/keepas ... ies-found/



also missing the point. it's not about looks :shock: it's about storing very complicated passwords for many MANY sites (most of us aren't mnemonics in the memory department, yet at the same time we need unique complicated credentials regardless) in an encrypted database for which only 1 master password is needed to access this database (which can be stored and backed up to another location). these can be used for many things either, login to websites, forums, or yes even your qnap login page.

i'm not familiar with your approach but the average person will use whats most easy to use and practical. would help if you had a guide for instruction, maybe that would be more productive for anyone wanting to give that a try instead :)

that said keepass maybe set it to auto lock after a period of idleness perhaps? also anti keylogger and other basic security measures to protect your desktop/laptop use wouldn't hurt either. also set browser not to auto save credentials, don't need to anyway since keepass can auto fill for you.

Just to be clear - in case someone reading your post infers something that is not true - KeePass, in and of itself, DOES NOT employ the cloud. KeePass encrypts your database with a 256-bit key using AES or ChaCha20. For extra security (in addition to your master password - never in place of it), you can also require a master key file derived with either AES-KDF or Argon2 to be present to unlock your encrypted KeePass database. Moreover, your master key file can be any file you want (a .doc, a .jpg, .mp3, whatever) as long as it is never altered or lost. And by default, KeePass inherently stores everything locally. It does not require, offer, or operate cloud storage for your encrypted database and/or master key file. You have every ability to move and store your encrypted database and master key file however and wherever you choose. It is recommended to not store them in the same folder, or even on the same drive. But with this setup, you are good to go with KeePass.

Now there are optional KeePass plugins available that add sync functionality to any number of cloud storage providers with whom you might have an account (Dropbox, S3, OneDrive, Google Drive et al.). Just as with your local storage, your remote database is still completely encrypted with that 256-bit key. It is strongly advised to not keep the master key file in an easily-recognizable fashion with either your local or remote and fully-encrypted databases. Without both the master password AND the master key file, the encrypted cloud database by itself is fairly useless to anyone who might breach your account and snatch it.

I think of it this way: I am far more concerned about the sheer number of my still unencrypted, unsalted and/or poorly hashed passwords sitting in far too many web databases around the internet than all of my passwords sitting in one 256-bit AES-encrypted file behind a 30-character master password and a clandestine master key file that could be any (or none) of the files in that same cloud account.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

Post Reply

Return to “Users' Corner”