DEV Community

Cover image for The vulnerability of insecurely deleting password manager exports
Maik
Maik

Posted on

The vulnerability of insecurely deleting password manager exports

In the past couple of weeks I've read many posts about moving from Lastpass to Bitwarden or another service. As a developer and IT-security student I'm always thinking carefully about the tools I use everyday.

Don't get me wrong - password managers are the way to go if you want to contain the consequences regarding a data leak on a site you're registered. But when doing something like the migration of your passwords to a new service, you can easily find yourself creating a new attack vector for people or bots that try to steal your identity.

When you export your passwords.csv file from Lastpass, for example, you should not forget about it or just delete it after the migration process is finished.

đź—‘ Why deleting or using rm passwords.csv isn't enough

When deleting a file, it will usually be moved to the trash bin by your operating system, unless configured differently. It should hopefully not be necessary to point out, that anyone can still access the file.

The next thought would be to use something like rm -rf passwords.csv to bypass the trash bin. Yes, you've apparently deleted the file. But what has truly happened in the background is a simple process of telling the disk that this specific data block is free (to use).
The data selected when using the normal delete operation or executing the rm function is still physically there!
Security vulnerability

🧲How to safely delete your export file

After you have completed the migration of your passwords, you should "delete" the file safely, as otherwise all you passwords will still be stored on your computer in plaintext.

If you're not familiar with the console, you can use a tool like File Shredder. You can find more information for the easy process on their website.

Otherwise you can use shred on unix systems to delete and overwrite the selected file(s). An example usage with 10 iterations could be:

shred -fuz -n 10 passwords.csv
Enter fullscreen mode Exit fullscreen mode

The -f operator forces the overwrite, -z overwrites the file with zeros to hide the operation, and -u finally deletes the overwritten file.
More information about the shred command can be found here.

Conclusion

In times where we all are registered on hundreds of sites, one of your passwords can be leaked very easily. Therefore, it should be common practice to use a password manager and different and random passwords for each site.
If you then remember these simple steps, you can prevent a leak of one of the most important things in your life - your password database.
Keep it safe and keep it close! đź”’

Image credit goes to Ivan Haidutski

Top comments (0)