[UnFleshedOne]

Why is having _all_ password being unencrypted available to _all_ processes running under the same user context considered an esoteric attack?

Basically we are one browser exploit away from using ad-networks to steal all your passwords (from 1Password7).

[peterwwillis]

I don't think it's an "esoteric" attack, it's just that the cost-benefit of locking things down a tiny bit more isn't significant. We're always one browser exploit away from malware that can do whatever it wants.

Ok, so say the malware couldn't access all your passwords immediately. It's just going to sit on your computer and collect them (and existing sessions) as you use them, or force you to re-auth and then collect them. And if it's highly prized info, the malware will eventually get updated with a privesc to go around the user context. This is what malware has been doing for years, and nobody notices until exfiltrated passwords start getting used.

[UnFleshedOne]

By the time I go through all my passwords at least once, browsers and OS will release multiple rounds of patches and potentially fix the exploit in question. This is still preferable to uploading whole database...

[peterwwillis]

I think the cost-benefit differs. If the whole database is leaked, you just rotate everything. Only the stuff that has been used (which tipped you to it being leaked) has a real impact. Nobody's going to compromise every single account you have all at the same time, unless they're specifically targeting you, in which case they're going to get everything anyway. So on balance, it doesn't matter if some random malware gets 1 of your passwords or all of them. The real-world impact is about the same: limited. The cost of worrying about the extra security outweighs the benefit.

Another way to go would be tiers of password managers. Even if all of their unlocked integrity sucks, you can have one manager that keeps your most sensitive accounts, and another manager for the rest. You rarely unlock the sensitive one, and after you log in, you unlock it and exit it. Now you have much better opsec with very little additional cost.

[UnFleshedOne]

Imagine a malware ad, using zero day browser exploit that is designed to dump 1password db at scale and upload it for further processing. As an attacker you can run this for a while (while exploit is valid) and then compromise thousands of bank accounts you have collected. As many as your scripts support.

[ubercow13]

No, it just has to wait until you unlock your password manager once

[UnFleshedOne]

Well yes, right now that is true. Without filesystem access, without long term persistence, just process memory access, a compromised browser can dump whole db from 1password7 at once. You only need seconds of time.

If only recently accessed passwords were unencrypted, only those would be available.