Over 60 million individuals and 93,000 businesses worldwide rely on password managers today. However, there are fundamental flaws in top password manager products that expose the data they are designed to protect, rendering them no more secure than saving passwords in a text file.
Although password managers provide some utility for storing login information and limit password reuse, these applications are an easy target for the mass collection of this data through malicious phishing campaigns.
Researchers at Independent Security Evaluators revealed serious weaknesses with top password managers: 1Password, Dashlane, KeePass and LastPass. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction, but instead found just the opposite.
Data Stored in Plaintext When Locked
One major finding was that the master password was residing in the computer’s memory in a plaintext readable format — no safer than storing it in a document or on the desktop. Users are led to believe the information is secure when the password manager is locked, however, once the master password is available to the attacker, they can decrypt the password manager database.
Simple Forensics Can Extract Master Passwords
Using a proprietary, reverse engineering tool, analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. Standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.
Given the huge user base of people already using password managers, these vulnerabilities entice hackers to target and steal data via malware attacks. Once they have your master password, it’s game over.
Until the vendors can fix these issues, password manager users should not leave a password manager running in the background, even in a locked state, and terminate the process completely if they are using one of the affected password managers.