Security News > 2024 > June > Breaking a Password Manager

Breaking a Password Manager
2024-06-04 11:08

Interesting story of breaking the security of the RoboForm password manager in order to recover a cryptocurrency wallet password.

The RoboForm program unwisely tied the random passwords it generated to the date and time on the user's computer­it determined the computer's date and time, and then generated passwords that were predictable.

If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past.

If Michael knew the day or general time frame in 2013 when he generated it, as well as the parameters he used to generate the password, this would narrow the possible password guesses to a manageable number.

Then they could hijack the RoboForm function responsible for checking the date and time on a computer and get it to travel back in time, believing the current date was a day in the 2013 time frame when Michael generated his password.

RoboForm would then spit out the same passwords it generated on the days in 2013.


News URL

https://www.schneier.com/blog/archives/2024/06/breaking-a-password-manager.html