Password managers are great. They combine security with convenience by storing all your credentials in one place, allowing you to use strong, complex passwords that you don’t have to remember.
But password managers themselves need to be super secure. Of course, if they are hacked, all your passwords are there for attackers to see – and that would be a disaster.
So major password manager firms will be feeling the heat today after a report from Independent Security Evaluators (ISE) found fundamental flaws that expose user credentials in computer memory while locked. According to the researchers, this renders them “no more secure than saving passwords in a text file”.
The ISE evaluated 1Password, Dashlane, KeePass and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords “as advertised”.
The study looked at the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked.
You would, naturally, think the password manager was safe when locked, but it’s not, according to the ISE. Worryingly, the researchers found that in some circumstances, the master password was residing in the computer’s memory in a plain text readable format. And once the master password is available to the attacker, they can decrypt the password manager database.
As the ISE points out, this is no safer than storing it in a document or on the desktop; something that certainly isn’t advised.
“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” says ISE lead researcher, Adrian Bednarek.
Should you stop using your password manager?
It’s all well and good to call out problems with password managers, but what should you use instead? First, do not throw away your service just yet: even the ISE recommends that you keep using password managers, just follow a few simple steps.
Crucially, you should not leave a password manager running in the background, even in a locked state. Meanwhile, terminate the process completely if you are using one of the affected password managers.
And how serious is it? For this attack to pay off, the hacker would need access to the RAM. This would require either physical access or remote access into the victim’s machine.
Stealing master passwords still may not be effective for hackers, says Jake Moore, cyber security expert at ESET. This is because setting up most managers requires two factor authentication on any new device, which “talks” to the server where the stored passwords are held.
At the same time, he says, if you use a password manager on your smartphone, you will be far better protected as this attack focuses primarily on computer RAM. “Plus, if you attach an authenticator application, such as Authy or Google Authenticator, to the password, your accounts will remain far safer,” he advises. “As long as people are not committing the cardinal sin of reusing passwords and can recognise password managers as a security measure rather than a vulnerability, we will all be far safer in no time.”
Emmanuel Schalit, CEO, Dashlane - one of the affected password managers - points out that the ISE findings cover “a very standard theoretical scenario in the world of security”. And he says: “This is not limited to Windows 10 but applies to any operating system and digital device connected to the internet.”
Schalit is also keen to point out that data stored by Dashlane on the device is encrypted and cannot be read by an attacker even if they have full control. “This only applies to the data present in the memory of the device when Dashlane is being used by a person who has typed the master password.”
Schalit says Dashlane is working on improving over the long term and adds: “We respectfully disagree with the researcher’s claim that this can be truly fixed by Dashlane, or anyone for that matter. Once the operating system or device is compromised, an attacker will end up having access to anything on the device and there is no way to effectively prevent it. There are solutions that amount to ‘putting the information under the rug’ but any attacker sufficiently sophisticated enough to remotely take control of the user’s device would go around these solutions very easily.”
So please don’t stop using your password manager just yet. Just ensure you close the service completely when not using it and set up two-factor authentication for extra protection.