[clug] [OT] all text passwords == secure?

Angus Gratton gus at projectgus.com
Sun Aug 26 20:40:02 MDT 2012

On Mon, 27 Aug 2012 10:22:06 +1000
Alex Satrapa <grail at goldweb.com.au> wrote:
> Of course storing my passwords in 1password means that I'm vulnerable to attacks against the equipment storing those passwords: one airport security agent plugging my smartphone into a memory dumping device for a few seconds will spell the end of life of all my passwords. I have taken to changing my collection of a few hundred passwords after every trip that involves checked baggage. Thankfully I've not yet had security staff demand that I hand over my carry-on devices to be inspected, but I can never be sure that checked baggage hasn't been tampered with (https://www.youtube.com/watch?v=G5mvvZl6pLI).

Hi Alex,

I don't want to discourage you from being cautious, but I don't know
if I'd worry too much about this unless you think you're being targeted
by state-level agencies.

To know your 1password passwords immediately, airport security has
to dump the RAM of your running device while your 1password keychain is
unlocked (easier said than done, I would think, and presumably any
device in checked backage is switched off.)

If they dump the persistent flash storage, that's maybe easier. But
only trivially easy if the database is on an external SD card. Even
then, in the case of 1password they'll need to either know of a
software vulnerability, or guess your password via PBKDF2, or break
AES128 directly. None of which is publicly known to be feasible.

Of course it's not impossible but I would think it's getting up to the
"go to your house and threaten you until you give up your password" or
"spy on you until they see you enter your password" level of effort.



Disclaimer: not any kind of crypto expert, for all I know my
devices are completely owned, etc, etc. :)

More information about the linux mailing list