Researchers have uncovered a surprising security weakness in password managers – several popular products appear to do a weak job at scrubbing passwords from memory once they are no longer being used.
An analysis by Independent Security Evaluators (ISE) uncovered the problem to different degrees in versions of 1Password, Dashlane, LastPass and KeePass.
The good news is that all managers successfully secured passwords when the software wasn’t running – when passwords, including the master password, were sitting in the database in an encrypted state.
However, things went downhill a bit when ISE looked at how these products secure passwords in both the locked state (running prior to entering the master password or running after logging out), and the fully unlocked state (after entering the master password).
Rather than generalise, it’s best to describe the issues for each product.
1Password4 for Windows (v4.6.2.626)
This legacy version keeps an obfuscated version of the master password in memory which isn’t scrubbed when returning to a locked state. Under certain conditions, a vulnerable cleartext version is left in memory.
1Password7 for Windows (v7.2.576)
Despite being the current version, the researchers rated it as less secure than 1Password4 because it decrypts and caches all database passwords rather one at a time. 1Password7 also fails to scrub passwords from memory, including the master password, when moving to a locked state. This compromises the effectiveness of the lock button, requiring the user to completely exit the program.
Dashlane for Windows (v6.1843.0)
Exposes only one password at a time in memory until a user updates an entry at which point the entire database is exposed in plaintext. This remains true even when the user locks the database.
KeePass Password Safe (v2.40)
Database entries are not scrubbed from memory after each is used although the master password was, thankfully, not recoverable.
LastPass for Applications (v4.1.59)
Database entries remain in memory even when the application is locked. Furthermore, when deriving the decryption key, the master password is “leaked into a string buffer” where it is not wiped, even when the application is locked (note: this version is used to manage application passwords and is distinct from the web plugin).
Clearly, if passwords – especially master passwords – are hanging around in memory when the application is locked, this raises the possibility that malware could steal this data after infecting a computer.
The counter-argument is that if malware infects your computer, pretty much everything on that system is at risk whether it’s obfuscated in memory or not. No security application can possibly guarantee to defend against this sort of threat.
The response?
Some of the affected vendors have publicly defended their products, claiming that the issues discovered by the researchers are part of complex design trade-offs.
LastPass also claimed it had cured the problems found in its product and pointed out that an attacker would still require privileged access to a user’s PC.
Is this the end for password managers?
In short, no. Our advice is to continue using password managers because the issues found are still heavily outweighed by the known advantages of using one and will probably be tidied up through updates anyway.
What matters is that researchers prod these products for weaknesses and that the vendors do everything they can to fix them as quickly as possible.
If in doubt, one idea is to shut down (i.e. close) a password manager when it’s not being used.
And, of course, don’t forget to use two-factor authentication whenever you can. That way, even if someone has your password, they still can’t log in as you.
Jeanne Schubert
Any info on an iMac?
davemn
I had the same question about macOS.
Also, I’m curious as to who in the world would vote this question down? 😂 Even blind Mac haters should want better security on all platforms.
David
I’ve been using the browser plugin for LastPass for years. But, even before this I’ve been wondering how much better that is than using the builtin password manager in Edge or Chrome. Any thoughts?
Epic_Null
Well, I know that lastpass keeps your passwords encrypted in a way that they claim they can’t decrypt without your password, while browser builtin passwords can be decrypted by default (since the key and password are kept on the same machine) but only accessed on the systems they are already on. On the other hand, lastpass data is stored online, which means it can be accessed from any computer.
John E Dunn
This is encrypted locally and the keys used are never transmitted. As a Premium feature this is also protected by MFA.
Epic_Null
I probably should also have meantioned that some password managers use monitoring so that if they get compromised, they can alert you. I think you also have the ability to rollback your password manager if the password is changed by someone who isn’t you (This appears true of Lastpass) , which leaves you with a convienient list of sites with passwords you need to change.
John E Dunn
Dedicated password managers offer more security features such as MFA and are also cross-browser. Browsers also suffer more vulnerabilities which in theory might undermine the security of their password storage function.
delayedthoughtengineering
KeePass is already advising users to upgrade to version 2.41 when the software is started.
Bryan
1)
> the researchers rated [1Password7] as less secure than 1Password4
Was it Facebook or Google that subsidized this “upgrade?”
2)
> Under certain conditions, a vulnerable cleartext version is left in memory.
Did 1Password’s PR department finally land Obi-Wan Kenobi?
floppyedonkey
Enpass for the win!!
Mr. G
So, based on this, which password manager is best at being secure? What is the best free password manager out in the market?
Thank you in advance
Anonymous
Keeper beats all these
Joel
Was Roboform tested? Curious how it stacked up against these – clean or vuln?
Ludovic Rembert
How do the above options compare to FLOSS password management tools… eg, PW Safe, Master Password and LessPass? With free options like KeePass, they sound nice but I’d prefer that my database entries not be stored in memory, which has been shown to be vulnerable in the wake of Spectre/Meltdown.