Top Password Managers Have Fundamental Flaws That Expose User Credentials in Computer Memory While Locked, According to New Research From Independent Security Evaluators (ISE)
February 2019 by ISE
Top password manager products have fundamental flaws that expose the data they are designed to protect, rendering them no more secure than saving passwords in a text file, according to a new study by researchers at Independent Security Evaluators (ISE).
"100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” says ISE CEO Stephen Bono. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
In the new report titled “Under the Hood of Secrets Management,” ISE researchers revealed serious weaknesses with top password managers: 1Password, Dashlane, KeePass and LastPass. ISE examined the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked. More than 60 million individuals 93,000 businesses worldwide rely on password managers. Click here for a copy of the report.
Password managers are marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead ISE found just the opposite.
Data Stored in Plaintext When Locked
One major finding was that, in certain instances, the master password was residing in the computer’s memory in a plaintext readable format — no safer than storing it in a document or on the desktop as far as an adversary is concerned. Users are led to believe the information is secure when the password manager is locked. Though, once the master password is available to the attacker, they can decrypt the password manager database — the stored secrets, usernames and passwords. ISE demonstrated it is possible to extract master passwords and other login credentials from memory while the password manager was locked.
Simple Forensics Can Extract Master Passwords
Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.
“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” says lead researcher, Adrian Bednarek. “Once they have your master password, it’s game over.”
“People believe using password managers makes their data safer and more secure on their computer,” says ISE Executive Partner Ted Harrington. “Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.”
ISE recommends that to keep secrets more secure until vendors fix the issues, password manager users should not leave a password manager running in the background, even in a locked state, and terminate the process completely if they are using one of the affected password managers.
This report is part of an ongoing research initiative conducted by Independent Security Evaluators to protect consumers and businesses and to inform manufacturers of vulnerabilities that could expose their customers to risk. All vulnerabilities and relevant research findings have been responsibly disclosed to the manufacturers.