Popular Password Managers Found To Have Crippling Security Flaws
It is bad practice to use the same password
for multiple accounts, because even if only one of them is compromised in a security breach, then all of the accounts are compromised. That is where password managers like LastPass
come in handy. Are they truly secure, though? A new report sheds light on the shortcomings of popular password managers.
If you're not familiar with password managers, they generate and store hard-to-guess passwords, allowing you to secure your different accounts with different complex strings of characters and symbols. These are accessed by a master password. The benefit is that you only have to remember a single password, but can secure your many different accounts on the web with different ones.
There are several password managers out there, and Independent Security Evaluators (ISE) took a look at some of the more popular ones. Specifically, it evaluated 1Password, Dashlane, KeePass, and LastPass. In its report, ISE outlines vulnerabilities in each one.
"We found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state," the report states.
The findings largely have to do with how password managers store the master password in a computer's memory. In one example, ISE found the master password was stored in plaintext in memory, and that it was not properly scrubbed. The degree to which a particular password manager is vulnerable varies, but the underlying theme is that they are not totally secure.
That said, ISE does not advocate for not using a password manager. The security firm says in no uncertain terms that "password managers are a good thing" and "add value to the security posture of secrets management." They don't have to be perfect to be effective.
Taking things a step further, a person with 1Password told ZDNet that "any plausible cure may be worse than the disease," in regards to how the password manager uses system memory. Furthermore, the threat is limited.
"An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer," 1Password said.
Nevertheless, ISE was still "surprised in the inconsistency" with which password managers retained and sanitized master passwords in memory. The takeaway seems to be that using a password manager is still wise, but there is room for improvement.