Password managers found to have critical flaw
20 February 2019 | 0
Despite the refrain from security experts to use password managers, a new report from Independent Security Evaluators (ISE), has found that several of the most popular such applications have fundamental flaws which expose the data that render them no more secure than saving passwords in a plain text file.
The new report entitled “Under the Hood of Secrets Management,” revealed serious weaknesses with top password managers: 1Password, Dashlane, KeePass and LastPass. ISE researchers said they examined the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked. The report states that more than 60 million individuals 93,000 businesses worldwide rely on password managers.
ISE demonstrated it is possible to extract master passwords and other log-in credentials from memory while the password manager was locked.
“One hundred percent of the products that ISE analysed failed to provide the security to safeguard a user’s passwords as advertised,” said Stephen Bono, CEO. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
One major finding from the report was that, in certain instances, the master password was residing in the computer’s memory in a plaintext readable format — a method, which the report asserts, is no safer than storing it in a document or on the desktop as far as an adversary is concerned. Users are led to believe the information is secure when the password manager is locked, the researchers argue. Though, once the master password is available to the attacker, they can decrypt the password manager database — the stored secrets, usernames and passwords. ISE demonstrated it is possible to extract master passwords and other log-in credentials from memory while the password manager was locked.
Using a proprietary, reverse engineering, tool, ISE analysts said they were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.
“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” said Adrian Bednarek, lead researcher, ISE. “Once they have your master password, it’s game over.”
“People believe using password managers makes their data safer and more secure on their computer,” said Ted Harrington, executive partner, ISE. “Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.”
The report recommends that to keep secrets more secure until vendors fix the issues, password manager users should not leave a password manager running in the background, even in a locked state, and terminate the process completely if they are using one of the affected password managers.
The report, said ISE, is part of its ongoing research initiative conducted to protect consumers and businesses and to inform manufacturers of vulnerabilities that could expose their customers to risk. All vulnerabilities and relevant research findings have been responsibly disclosed to the manufacturers, said the company.