Story image

Use a password manager? New study reveals it may be worse than useless

22 Feb 2019

According to a recent study, top password manager products that tens of millions of people around the world use every day have fundamental flaws that expose the data they’re designed to protect.

These platforms include 1Password, Dashlane, KeePass, and LastPass, which combined have more than 60 million users and 93,000 businesses worldwide relying on them to provide password protection.

The study - Under the Hood of Secrets Management - was carried out by researchers at Independent Security Evaluators (ISE), which purports these platforms to be no secure than saving passwords into a text file.

"100 percent of the products that ISE analysed failed to provide the security to safeguard a user’s passwords as advertised,” says ISE CEO Stephen Bono.

“Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”

ISE examined the underlying functionality of the aforementioned products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked.

They’re marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead, ISE found just the opposite.

One staggering finding was that in certain instances, the master password was sitting in the computer’s memory in a plaintext readable format, which is no safer than storing it in a document or on the desktop as far as a cybercriminal is concerned.

While users are led to believe their information is secure when the password manager is locked, once the master password is available to an attacker they’re equipped to easily decrypt the password manager database containing any stored secrets, usernames, and passwords.

To prove its point, ISE went ahead and demonstrated how it is possible to extract master passwords and other login credentials from memory while the password manager was locked.

The really worrying thing about this research is just how simple it is. Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.

“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” says ISE lead researcher Adrian Bednarek.

“Once they have your master password, it’s game over.”  

ISE executive partner Ted Harrington says internet users should keep their secrets more secure until vendors fix the issues by never leaving a password manager in the background - even in a locked state - and terminate the process completely if they are using one of the aforementioned password managers.

“People believe using password managers makes their data safer and more secure on their computer,” says Harrington.

“Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.”

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.