Story image

Use a password manager? New study reveals it may be worse than useless

22 Feb 2019

According to a recent study, top password manager products that tens of millions of people around the world use every day have fundamental flaws that expose the data they’re designed to protect.

These platforms include 1Password, Dashlane, KeePass, and LastPass, which combined have more than 60 million users and 93,000 businesses worldwide relying on them to provide password protection.

The study - Under the Hood of Secrets Management - was carried out by researchers at Independent Security Evaluators (ISE), which purports these platforms to be no secure than saving passwords into a text file.

"100 percent of the products that ISE analysed failed to provide the security to safeguard a user’s passwords as advertised,” says ISE CEO Stephen Bono.

“Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”

ISE examined the underlying functionality of the aforementioned products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked.

They’re marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead, ISE found just the opposite.

One staggering finding was that in certain instances, the master password was sitting in the computer’s memory in a plaintext readable format, which is no safer than storing it in a document or on the desktop as far as a cybercriminal is concerned.

While users are led to believe their information is secure when the password manager is locked, once the master password is available to an attacker they’re equipped to easily decrypt the password manager database containing any stored secrets, usernames, and passwords.

To prove its point, ISE went ahead and demonstrated how it is possible to extract master passwords and other login credentials from memory while the password manager was locked.

The really worrying thing about this research is just how simple it is. Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.

“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” says ISE lead researcher Adrian Bednarek.

“Once they have your master password, it’s game over.”  

ISE executive partner Ted Harrington says internet users should keep their secrets more secure until vendors fix the issues by never leaving a password manager in the background - even in a locked state - and terminate the process completely if they are using one of the aforementioned password managers.

“People believe using password managers makes their data safer and more secure on their computer,” says Harrington.

“Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.”

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Ensign and IronNet partner to create cyber analytics capabilities
The Singapore-based joint venture will form a Cyber Analytics Center for Excellence focused on securing regional enterprises from sophisticated cyber threats.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.