We all know that we’re not supposed to re-use passwords even once. However, between personal and professional accounts, many people are now juggling dozens (if not hundreds) of login credentials.
Since you can’t re-use passwords and you can’t write them down, the accepted solution has been to use an all-in-one password manager protected by a strong password. One secure set of login information basically acts as your virtual key ring, allowing you to safely store passwords by the hundreds if need be.
Password managers are still widely considered to be a best security practice. However, it’s important to keep in mind that no system is perfect or without vulnerabilities. A security shortcoming that is common to nearly all of the biggest password managers has emerged, and it’s vital that everyone who uses these tools be aware of it.
The gaping password manager security hole
This vulnerability comes from a February 2019 report released by United States consulting firm Independent Security Evaluators (ISE). The study found similar vulnerabilities in five of the most popular password manager programs for Windows 10: 1Password 7, 1Password 4, Dashlane, KeePass and LastPass.
The problem is that each of these password managers will, at some point, store the master password in local memory in plain text while they are running. The process is a bit different for each of the tested password managers, but all of them have a point at which the password can be retrieved by someone who knows where to look – and for some of them, this is during the time that the password manager should be in a “locked” state.
This vulnerability does require an attacker to have access to the local machine’s RAM. However, a hacker who knows what to look for and has such access would be able to retrieve the master password nearly as easily as if it was stored in an unencrypted text file.
All of the tested password managers do protect the master password when they are not running. The problem is that none of them adequately protect the master password and/or wipe it from RAM while they are running, sharing password information that is unencrypted through the system memory. Even more complex passwords will be fully exposed.
A more detailed summary of each password manager’s individual issues follows:
1Password 4: Leaves the most currently used master password exposed when transitioning from unlocked to locked state; also has an exploitable bug that leaves the master password in memory in plaintext while locked
1Password 7: The most recent version of 1Password is even less secure, storing all passwords in plaintext in memory while locking and not removing them until the program is shut down; passwords can also be extracted by way of a memory leak bug
Dashlane: Exposes all securely stored user passwords in plaintext whenever a user updates any information through the user interface
KeePass: Scrubs master passwords from memory after use, but has exploitable memory leak errors that expose plaintext passwords
LastPass: Fails to scrub plaintext database entries from memory when a user unlocks and re-locks their account
In sum, it appears that most password managers are either not scrubbing entries from memory properly when they go from an unlocked to locked state – or even if they are, there are still memory leak openings that can be taken advantage of.
How can this be fixed?
These vulnerabilities all require that the password manager be running and that the master password have been entered at some point. So the system either has to have been compromised remotely in some way prior to that point, or the attacker has to have physical access to it afterward.
Patches should definitely be expected from all of the affected password manager vendors in the coming days, and probably also from some others that were not included in this study (such as Zoho Vault and Sticky Password). ISE identifies these failings as correctable from the developer’s end. Among the measures they suggest are the implementation of keylogger detectors, per-install binary scrambling during the install phase and hardware-based measures such as the use of Intel’s SGX.
Password manager users can also take some pro-active measures to protect their personal data. For example, it’s likely that cyber criminals will deploy malware that remotely targets password managers. Malware can be stopped by keeping your operating system updated, running proven anti-malware software and making use of full disk encryption. Systems that haven’t had a checkup in some time should also be scanned for the possible presence of keyloggers and malicious browser extensions. At the local end, set operating systems to auto-lock to deter physical access while you’re away, and also completely shut down the password manager when not in use rather than just leaving it in a locked state.
Primarily a Windows issue
While these vulnerabilities can potentially be present on any type of device, this study focused on Windows 10 vulnerabilities. The memory leak issues in particular are something that is more specific to the operating system.
Smartphones and tablets running mobile operating systems are less likely to be vulnerable to the specific attacks detailed in the study. The use of third-party two-step verification mobile apps (like Authy) further limits your exposure through a mobile device.
Are password managers safe to use?
This issue is a great illustration of how system and network security consists of interlocking parts that all need to be kept up to date to complement each other and keep personal information safe.
The position of most of the password manager developers in this study is that while they can make some tweaks to address the issue, this is a known security vulnerability that requires some level of existing privileged access and one that cannot really be fully removed. The only way to fully secure the vulnerability is to prevent attackers from breaching the system, whether it be through malware from the outside or unauthorized physical access to it from the inside.
While that point is debatable, it is true that an attacker can’t really take advantage of this if they haven’t already compromised security in some other way in the first place. Password managers are still safe to use, so long as it is in tandem with good general security hygiene and an effective means of two-factor authentication.