sb-as logo
Story image

Use a password manager? New study reveals it may be worse than useless

22 Feb 2019

According to a recent study, top password manager products that tens of millions of people around the world use every day have fundamental flaws that expose the data they’re designed to protect.

These platforms include 1Password, Dashlane, KeePass, and LastPass, which combined have more than 60 million users and 93,000 businesses worldwide relying on them to provide password protection.

The study - Under the Hood of Secrets Management - was carried out by researchers at Independent Security Evaluators (ISE), which purports these platforms to be no secure than saving passwords into a text file.

"100 percent of the products that ISE analysed failed to provide the security to safeguard a user’s passwords as advertised,” says ISE CEO Stephen Bono.

“Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”

ISE examined the underlying functionality of the aforementioned products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked.

They’re marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead, ISE found just the opposite.

One staggering finding was that in certain instances, the master password was sitting in the computer’s memory in a plaintext readable format, which is no safer than storing it in a document or on the desktop as far as a cybercriminal is concerned.

While users are led to believe their information is secure when the password manager is locked, once the master password is available to an attacker they’re equipped to easily decrypt the password manager database containing any stored secrets, usernames, and passwords.

To prove its point, ISE went ahead and demonstrated how it is possible to extract master passwords and other login credentials from memory while the password manager was locked.

The really worrying thing about this research is just how simple it is. Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.

“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” says ISE lead researcher Adrian Bednarek.

“Once they have your master password, it’s game over.”  

ISE executive partner Ted Harrington says internet users should keep their secrets more secure until vendors fix the issues by never leaving a password manager in the background - even in a locked state - and terminate the process completely if they are using one of the aforementioned password managers.

“People believe using password managers makes their data safer and more secure on their computer,” says Harrington.

“Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.”

Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More
Story image
Experiencing ransomware significantly impacts cybersecurity approach
"The survey findings illustrate clearly the impact of these near-impossible demands. Among other things, those hit by ransomware were found to have severely undermined confidence in their own cyber threat awareness."More
Story image
Secureworks: Remote working exposes new security vulnerabilities
New vulnerabilities have been exposed as IT teams across the world respond to the ongoing COVID-19 pandemic.More
Story image
Insider threat report reveals deception in the workforce
Insider threats come from people inside an enterprise, whether they divulge proprietary information with nefarious intentions, or are just careless employees that unwittingly share sensitive data, writes Bitglass product marketing manager Juan Lugo.More
Story image
Palo Alto Networks launches new SD-WAN solutions and enhancements
Palo Alto Networks has introduced two new SD-WAN appliances and enhancements to its next-generation SD-WAN solution, expanding the company’s CloudGenix SD-WAN solutions reach.More
Story image
Entrust launches cloud-based ID issuance solution
The Sigma instant ID solution uses encryption, trusted HSM technology and secure boot to issue highly secure physical and mobile identities.More