A new report suggests that password managers aren’t quite as secure as you might first think, and they contain some worrying flaws on the security front, including – in some cases – storing the master password for the app in the PC’s memory in a plaintext form.
First off, though, before everybody starts hitting the panic button and considering uninstalling their password manager program, let’s clarify that the security researchers behind this report still advocate the use of these applications.
The Independent Security Evaluators (ISE) note that password managers are definitely a good thing, and the ones from the major players (which they looked at in this study) “add value to the security posture of secrets management”, and help avoid many bad password practices (like weak passwords, re-using passwords over and over, and so forth).
Bearing that in mind, ISE evaluated 1Password, Dashlane, KeePass and LastPass on Windows 10, and found that in some cases, the master password for the app was kept in the system memory in a plaintext readable format.
As the firm points out, that’s no better than storing it typed out in a document on your computer, at least when it comes to a skilled attacker. In these cases, even if the password manager app is ‘locked’ – i.e. it’s running, but you need to enter the master password to access the many stored passwords inside the application – a hacker can potentially get in by sniffing out the plaintext master password in the PC’s memory.
And once they’re in, they can access all the victim’s usernames and passwords for every site and service they have signed up for.
The security firm observed: “Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.”
Of course, we have to remember that the hacker still needs access to the computer, either physically, or if remote, via some sort of backdoor installed by malware.
The ISE further notes: “It is evident that attempts are made to scrub and [sanitize] memory in all password managers [which were evaluated]. However, each password manager fails in implementing proper secrets sanitization for various reasons.”
The organization believes that an urgent remedy is required to facilitate password managers effectively scrubbing out all data that could lead to a potential compromise when an application is running in the background in a locked state.
Hopefully, the makers of these pieces of software are sitting up and taking notice, and will have a plan of action to tackle the aforementioned security flaws.
Meantime, until patches are deployed to squash these particular gremlins, the ISE recommends that you don’t leave a password manager app running in the background – even in a locked state – and that users should “terminate the process completely if they are using one of the affected password managers”.
However, it’s still worth underlining that any hacker would need access to your PC in some way to sniff out your password secrets, as we already mentioned. So as ever, it’s a sensible move to have a good antivirus installed on your system.