sb-as logo
Story image

Use a password manager? New study reveals it may be worse than useless

22 Feb 2019

According to a recent study, top password manager products that tens of millions of people around the world use every day have fundamental flaws that expose the data they’re designed to protect.

These platforms include 1Password, Dashlane, KeePass, and LastPass, which combined have more than 60 million users and 93,000 businesses worldwide relying on them to provide password protection.

The study - Under the Hood of Secrets Management - was carried out by researchers at Independent Security Evaluators (ISE), which purports these platforms to be no secure than saving passwords into a text file.

"100 percent of the products that ISE analysed failed to provide the security to safeguard a user’s passwords as advertised,” says ISE CEO Stephen Bono.

“Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”

ISE examined the underlying functionality of the aforementioned products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked.

They’re marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead, ISE found just the opposite.

One staggering finding was that in certain instances, the master password was sitting in the computer’s memory in a plaintext readable format, which is no safer than storing it in a document or on the desktop as far as a cybercriminal is concerned.

While users are led to believe their information is secure when the password manager is locked, once the master password is available to an attacker they’re equipped to easily decrypt the password manager database containing any stored secrets, usernames, and passwords.

To prove its point, ISE went ahead and demonstrated how it is possible to extract master passwords and other login credentials from memory while the password manager was locked.

The really worrying thing about this research is just how simple it is. Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.

“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” says ISE lead researcher Adrian Bednarek.

“Once they have your master password, it’s game over.”  

ISE executive partner Ted Harrington says internet users should keep their secrets more secure until vendors fix the issues by never leaving a password manager in the background - even in a locked state - and terminate the process completely if they are using one of the aforementioned password managers.

“People believe using password managers makes their data safer and more secure on their computer,” says Harrington.

“Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.”

Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
Hybrid IAM solutions are the way of the future, study states
“As this first-of-its-kind research shows, while IT leaders are faced with unique criteria and conditions that shape their IT strategy, hybrid IAM has emerged as a necessity."More
Story image
Egnyte ensures greater security across Microsoft 365 with latest integrations
The new integrations are aimed at helping mid-sized organisations prevent data loss, address a growing number of regional privacy regulations, and simplify the overall management of content with minimal administrative overhead.More
Story image
Remote work continues, and endpoint security cited as a must
Nearly half of workers will stay remote after the pandemic ends, and two out of three IT professionals are concerned with endpoint misuse, according to Prey Software's new study.More
Story image
Users becoming more savvy with COVID phishing scams
“With COVID-19 being around for over a year now and employees becoming more aware of the types of scams that have come out related to the pandemic, cyber criminals are having less success with related phishing attacks."More
Story image
Data transparency increasingly important, Kaspersky study states
“It is clear from the data that people have developed a sense of control and they are now demanding openness about how and where their data is being managed."More