Millions of people from all over the world use password managers to keep their accounts secure.
A recently published study notes that the methods used by password managers to save the sign-in credentials aren’t exactly bulletproof, as they may be vulnerable to certain security threats. The study was elaborated by Independent Security Evaluators which took a look at the most popular password managers that are currently available on the market: 1Password v4 and v7, Dashlane, KeePass and LastPass.
According to the team of researchers none of the solutions was able to keep the password protected, and in most cases, fundamental security flaws could be exploited to extract key data that should have been kept secure.
The identified vulnerabilities can be found in versions of the programs that were designed for Windows 10 computers. One of the biggest flaws is represented by the fact that the master password which can be used to gain access to the sign-in credentials is stored in the RAM of the unit as plaintext that can be easily accessed.
Most users will be assured that their information is secure if the password manager is locked, but a third-party that can gain access to the master password can decrypt the entire database without problems. The team was able to recover the master password and other credentials even if the manager was locked. Malware installed on the machine by a malicious entity should be able to perform the same task automatically.
Below you can find a summary for each of the tested programs.
1Password4 seems to be mostly secure. The study discovered that the master password remains in the RAM as a plaintext after the manager is unlocked.
It seems that 1Passowrd7 is more vulnerable than the legacy version. All the passwords that are stored in the memory are decrypted upon unlocking, and individual data isn’t deleted after the program is used.
Dashlane is quite secure, but it seems that the entire database is exposed as plaintext and it remains available even if the program is closed.
Keepass will remove most of the data from memory, but certain credentials that are associated with Windows APIs may remain vulnerable.
A memory leak allowed researchers to recover the master password and associated data from LastPass.
While these risks exist it is unlikely that the average user will be the victim of systematic attacks that can exploit these vulnerabilities.
Benjamin Diaz started working for Debate Report in 2017. Ben grew up in a small town in northern Ontario. He studied chemistry in college, graduated, and married his wife a year later. Benhas been a proud Torontonian for the past 10 years. He covers politics and the economy. Previously he wrote for CTV News and the Huffington Post Canada.