Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix not revealing stored passwords from the UI [$100] #2024

Open
kenkendk opened this Issue Oct 17, 2016 · 23 comments

Comments

Projects
None yet
@kenkendk
Copy link
Member

kenkendk commented Oct 17, 2016

Before we can release the v. 2.0 beta we should fix the current insecure practice with storing passwords in "almost plain" and also prevent revealing the password from the UI.

There are a number of issues relating to this, and I am closing the imported ones:

  • #558 - A master password
  • #703 - Read-only access
  • #1010 - Hide auth password
  • #1251 - A global password
  • #1942 - Prevent exporting passphrase in JSON
  • #1807 - Login password protects configuration

A shallow protection would be to simply mask out any "password" marked options, and deliver them as a placeholder string (e.g. ********).

Another, more thorough approach, would be to use the system keychain to store the password options.

Perhaps we need both, as we may lack access to a keychain on some system, and maybe also for users with --portable-mode enabled.

When storing with the keychain, we need to mark the passwords in the database to know where they are stored in the keychain. If we store the passwords in the database, we should add some kind of encryption to the passphrases.


Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@telemaxx

This comment has been minimized.

Copy link

telemaxx commented Oct 25, 2016

I think my comment fits here, or should i create a new Entry?

After Installation no Password:
pw1
then i set a global Password:
pw2
Now i have to login:
pw3
then i look at my settings, no Password i marked. But its active.
i would expect Password is checked.

pw4
If i change something in the settings and click save, password is not longer active

@kenkendk

This comment has been minimized.

Copy link
Member Author

kenkendk commented Oct 26, 2016

@telemaxx: That is something different, and a bug in the UI

@telemaxx

This comment has been minimized.

Copy link

telemaxx commented Oct 26, 2016

OK, i create a new ticket.

@Pectojin

This comment has been minimized.

Copy link
Member

Pectojin commented Feb 12, 2018

@kenkendk I think this issue #3027 should be added to the list (as well as any other advanced options containing passwords)

@wjansenw

This comment has been minimized.

Copy link
Contributor

wjansenw commented Mar 3, 2018

Wouldn't it be an option to use https://www.zetetic.net/sqlcipher/open-source/ for the configuration database? You could use an encryption key only known by the Duplicati team that will never be exposed.

And provide options to export the db unencrypted.

Haven't read in detail, and don't know if the code could easily be added to this project.

@Pectojin

This comment has been minimized.

Copy link
Member

Pectojin commented Mar 3, 2018

@wjansenw there is no way to keep such an encryption key secret since it needs to somehow be used by the Duplicati Server when opening the database. Any such usage would be in the code, for everyone to see, so it would no longer be secret.

The solution has to be secured by a secret only known to the user or local machine. E.g. unlocked by a user when starting Duplicati or using the system keychain.

@wjansenw

This comment has been minimized.

Copy link
Contributor

wjansenw commented Mar 3, 2018

@Pectojin

This comment has been minimized.

Copy link
Member

Pectojin commented Mar 4, 2018

Well, yes it's possible.

It just has multiple implications such as trusting the Duplicati team with the knowledge of the key used to encrypt your database.
And to some extend it's accepting obfuscation in place of proper security. I know it is encryption, but encryption with a known key is basically just adding an obfuscation layer since it's then just a matter of extracting the key.

It can be done and it is more secure than nothing, but I think we can solve it in a better way.

@kenkendk

This comment has been minimized.

Copy link
Member Author

kenkendk commented Mar 5, 2018

Packing a key inside the binaries adds no security. You can dump all strings from most file types with a standard tool:
http://split-code.com/strings2.html

Encrypting the database adds a number of usability issues, which is fine if there is an upside, but I do not see it.

Since the running program needs the key, there is no where to hide it. Using the keychain to store the sensitive data gives the optimal protection (essentially trusting the OS to do it right). In this case it will only be accessible if the keychain is unlocked or the program is running (memory dump).

@SystemOverlord

This comment has been minimized.

Copy link

SystemOverlord commented Apr 11, 2018

I see that the issue is still open but the v2.0 beta was already released, are there any other related issues in which I can help? I am a student employee of University Heidelberg, and I would like to offer my help regarding IT security problems.

@piegamesde

This comment has been minimized.

Copy link
Contributor

piegamesde commented Apr 11, 2018

@SystemOverlord There are a bunch of keystores, keyrings and password safes out there. The possibility to use one of them instead of storing them in plain text would be awesome. (See #3093)

Alternatively, the login system seems to be not that secure. This isn't really a problem for local login, but could still be improved.

@Pectojin

This comment has been minimized.

Copy link
Member

Pectojin commented Apr 11, 2018

@piegamesde I'm afraid it's hard to improve on the login system without adding native SSL to Duplicati. The login system already uses salts and nonces to avoid sending the password and to limit replay attacks as much as possible (given that authentication happens over unencrypted HTTP).

In addition to keystore/keyring there's a couple of loose ends with passwords displayed in frontend and then there's the issue with the DB's being plaintext :)

@SystemOverlord

This comment has been minimized.

Copy link

SystemOverlord commented Apr 11, 2018

@Pectojin @piegamesde Thank you very much for the hints. I'll have a look and discuss the next steps with my professor.

edit 19.04.2018:

I am sorry but after consulting my professor I cannot help with the further development of duplicati.

@emorgoch

This comment has been minimized.

Copy link

emorgoch commented Apr 26, 2018

Any update on the UI side of this? Testing Duplicati for my own use now, and I couldn't believe that the password field when using a local folder destination wasn't masked. If not, I'd find it interesting to get my feet wet with GitHub finally, and take a stab at clearing as many of those locations out.

@Pectojin

This comment has been minimized.

Copy link
Member

Pectojin commented Apr 26, 2018

@emorgoch, I haven't heard anything so by all means feel free to take a look

@sylerner

This comment has been minimized.

Copy link

sylerner commented Jun 19, 2018

Is there any keychain technology available that uses a common API for Linux (KDE and Gnome at a minimum), Mac and Windows?

I'd like to put a bounty on this, but have no idea how much is appropriate. In order to gauge the complexity of the task - and hence what would be an appropriate bounty - it's necessary to know if this can be implemented once or would need 3+ implementations.

Project leaders: If a universal keychain isn't available, what would your feelings be about having duplicati (at least initially) making use of a keychain only on Linux?

Thanks!

@Pectojin

This comment has been minimized.

Copy link
Member

Pectojin commented Jun 19, 2018

There isn't any universal option, so the best option is to write a common interface in Duplicati and implement it for each operating system / keychain. It's fine for it to only work on one operating system initially if that's what the developer is used to working with.

@sylerner

This comment has been minimized.

Copy link

sylerner commented Jun 22, 2018

I'm posting a $50 bounty to have all passwords on KDE Linux systems stored in KDE Wallet (or other KDE compatible keyring).

@JonMikelV JonMikelV added the bounty label Jun 22, 2018

@JonMikelV JonMikelV changed the title Fix not revealing stored passwords from the UI Fix not revealing stored passwords from the UI [$50] Jun 22, 2018

@fergbrain

This comment has been minimized.

Copy link

fergbrain commented Aug 4, 2018

Duplicacy uses the gnome-keyring (https://github.com/gilbertchen/duplicacy/wiki/Managing-Passwords) which uses a d-bus. This should be easy to interface with. See also: https://github.com/gilbertchen/keyring which provides a cross-platform solution.

@Pectojin

This comment has been minimized.

Copy link
Member

Pectojin commented Nov 2, 2018

There seems to be an implementation of "A global password" that never got upstreamed here: myENA@52e31a0

I haven't had time to test it, but it looks ok.

@Pectojin

This comment has been minimized.

Copy link
Member

Pectojin commented Nov 3, 2018

Hmm, I tested it now, it's missing all the frontend components. So it doesn't really work unless I disable two frontend checks, and then we end up with a less user friendly error from the server

Unable to save schedule or backup object: The given key 'passphrase' was not present in the dictionary.

@sebastianhaberey

This comment has been minimized.

Copy link

sebastianhaberey commented Nov 14, 2018

Hey guys, thank you for your work on Duplicati!

I'm posting a $50 bounty to have all passwords on macOS stored in the standard system keychain.
If a cross-platform solution is feasible, it would be the preferred way to go, of course.

@mikaelmello mikaelmello changed the title Fix not revealing stored passwords from the UI [$50] Fix not revealing stored passwords from the UI [$100] Nov 14, 2018

@auwsom

This comment has been minimized.

Copy link

auwsom commented Jan 22, 2019

My workaround is to use the portable installation mode which moves the AppData folder inside the main program folder, then move that to a VeraCrypt volume. I use Smart Retention, a 3hr setting and an autorun.inf to run Duplicati when the volume opens. It should start missed backups as soon as it starts. Here’s a post with some links at SE: https://softwarerecs.stackexchange.com/a/55070/30586

Not as simple for a user as a builtin keyring, but cross-platform, although it would still be exposed when that volume is open. At least it offers strong protection while the volume is closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.