Monday, November 24, 2014

stealing master passwords is just not that big a deal

by now a lot of people have heard the news that a new version of the citadel trojan steals the master password for password management software. a LOT of electrons have gone into reporting this new development over and over and over again, but it really doesn't seem like it's a big enough deal to warrant all this attention.

while it may be novel to use keylogging to steal specific passwords for password management software, password stealers and keyloggers are anything but new, and the biggest difference between having this new version of citadel on your system or a traditional keylogger is basically that citadel will be able to collect (and therefore compromise) all your passwords faster than a normal keylogger (all at once vs. piecemeal).

that's really all there is to it. from the perspective of a potential victim, citadel isn't doing anything really new, it's just doing it more efficiently. password stealing malware has been out there for a long time and password managers were never meant to combat that particular threat to password security. password managers are meant to facilitate the use of strong, unique passwords which in turn serves to mitigate the risk of compromises to remote systems - compromising the local system is an entirely different problem.

at the end of the day, you can't operate securely with a compromised computer. even if you were to use 2 factor authentication (which could conceivably render password stealing moot) everything else you enter or access would be exposed to potential theft or manipulation if you're using a compromised computer.

i realize it may seem awkward that a class of software security pros have been promoting for years in order to improve security is now being targeted by malware, but it's only awkward because such a needlessly big deal is being made out of it. password management software still mitigates the same risks associated with remote compromises that it always did,  and you're as hosed as you ever were in the event of a local compromise. nothing has actually changed for the people trying to keep their things secure so stop acting like this development changes anything - it doesn't.