It has been reported that top password managers have fundamental flaws that expose user credentials in computer memory, according to a new study by researchers at Independent Security Evaluators (ISE). In the new report titled “Under the Hood of Secrets Management,” ISE researchers revealed serious weaknesses with top password managers: 1Password, Dashlane, KeePass and LastPass. ISE examined the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked. More than 60 million individuals 93,000 businesses worldwide rely on password managers.
Severe Vulnerabilities Uncovered In Popular Password Managers: https://t.co/xmV82nZebI
— deadmilkman (@deadmilkman) February 21, 2019
Experts Comments below:
Gavin Millard, VP of Intelligence at Tenable:
“While ISE’s research of five popular password managers is interesting we should avoid throwing the baby out with the bath water. This is a classic example of weighing up the risk of using the technology versus the risk of not.
“We live in a world where the need for passwords can be in the hundreds for the average user. If an individual relies on just one or two that are reused across multiple accounts, the likelihood of one being discovered in a data-dump on the dark web is more likely than the scenarios described in this paper being achieved by a threat actor.
“As an analogy, we’ve seen instances of anti-lock braking systems (ABS) that can fail when driving at high speeds around a race track but, in normal driving conditions, the technology has prevented far more accidents than it’s caused. Should we remove ABS from cars ‘just in case’? I’d argue not and the same is true of password managers.”
Amit Sethi, Senior Principal Consultant at Synopsys:
“Password managers serve a very useful purpose. In spite of these weaknesses, the majority of users that use password managers are much safer than users that do not use them. So, continue to encourage the use of password managers. Of course, keep all your users’ software up to date to ensure that they receive fixes for weaknesses like these.
It is important to keep the discovered weaknesses in perspective. Exploiting the weaknesses requires having the ability to access your computer. There are two primary ways in which attackers can do this
- Obtain physical access to your computer. Please see my suggestions above for protecting against this.
- Install malware on your computer. While the discovered weaknesses provide some additional attack vectors, there is not much that password managers can do to protect your passwords from this. Even if these weaknesses are fixed, the malware will be able to steal your master password the next time you type it. Follow general security best practices to reduce the likelihood of malware ending up on your computer.
Compared to all the things that can go wrong when you use weak passwords or reuse passwords across websites, these issues are quite minor. Do not let these weaknesses deter you from using a good password manager.
The main risk here is that somebody who gets access to your computer while your password manager is running but locked may be able to get access to your passwords. The first step is to upgrade your password manager to the latest available version. Almost all of the password managers that were studied have newer versions available that may have addressed these weaknesses. Then, make sure that you are using a strong master password that would be difficult for others to guess or brute-force.
If you want to be more careful, close your password manager completely whenever leave your computer unattended. Do not simply lock the password manager and hope that your passwords will be safe. Finally, enable disk encryption on your computer. Then, shut down your computer or place it in hibernation mode if possible whenever you leave it unattended. Alternately, avoid leaving your computer unattended.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.