SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Use a password manager? New study reveals it may be worse than useless
Fri, 22nd Feb 2019
FYI, this story is more than a year old

According to a recent study, top password manager products that tens of millions of people around the world use every day have fundamental flaws that expose the data they're designed to protect.

These platforms include 1Password, Dashlane, KeePass, and LastPass, which combined have more than 60 million users and 93,000 businesses worldwide relying on them to provide password protection.

The study - Under the Hood of Secrets Management - was carried out by researchers at Independent Security Evaluators (ISE), which purports these platforms to be no secure than saving passwords into a text file.

"100 percent of the products that ISE analysed failed to provide the security to safeguard a user's passwords as advertised,” says ISE CEO Stephen Bono.

“Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.

ISE examined the underlying functionality of the aforementioned products on Windows 10 to understand how users' secrets are stored even when the password manager is locked.

They're marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead, ISE found just the opposite.

One staggering finding was that in certain instances, the master password was sitting in the computer's memory in a plaintext readable format, which is no safer than storing it in a document or on the desktop as far as a cybercriminal is concerned.

While users are led to believe their information is secure when the password manager is locked, once the master password is available to an attacker they're equipped to easily decrypt the password manager database containing any stored secrets, usernames, and passwords.

To prove its point, ISE went ahead and demonstrated how it is possible to extract master passwords and other login credentials from memory while the password manager was locked.

The really worrying thing about this research is just how simple it is. Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers' handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it's supposed to guard.

“Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,” says ISE lead researcher Adrian Bednarek.

“Once they have your master password, it's game over.”

ISE executive partner Ted Harrington says internet users should keep their secrets more secure until vendors fix the issues by never leaving a password manager in the background - even in a locked state - and terminate the process completely if they are using one of the aforementioned password managers.

“People believe using password managers makes their data safer and more secure on their computer,” says Harrington.

“Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.