ISE reports critical security flaw in all password managers

  • Independent security consulting company ISE reports that it's found critical flaws in popular password manager software that allow an attacker to uncover your passwords.

    In today's age of regular data breaches, hackers have access to massive databases of email addresses and associated passwords. The average person can be signed up for hundreds of different websites, and the only way to secure your accounts across the internet is to use a different and sufficiently random password on every single one so that if one site is breached the others are safe.

    This means the only secure password is one you can't remember, and that poses a problem for everyday use. Password managers offer to solve this problem by generating random passwords for you, storing them in cryptographically secure vaults online or on your PC, and automatically filling in the password fields on websites and other services. Access to the vault is secured with one master password, so that's the only one you have to remember.

    Independent security consulting company ISE has now raised the alarm about a potential critical flaw in all password managers, claiming that hackers with access to the computer can easily obtain your master password and breach your password vault. The report entitled "Password Managers: Under the Hood of Secrets Management" highlights these flaws in popular password managers 1Password, Dashlane, KeePass, and LastPass on the Windows 10 platform.

    All of the password managers analysed maintained security of both the master password and the individual passwords while the password manager was not running, but ISE determined that many of them were incorrectly implementing the "locked" state when running or were failing to scrub memory regions containing passwords when switching from an unlocked to locked state. Under some circumstances, the master password or individual passwords were even reportedly stored in memory in plain text when the software was supposed to be in a secure locked state.

    As a result, standard memory forensic techniques could be used to extract the user's master passwords and individual passwords in all of the password managers mentioned. A hacker with access to the computer system could feasibly obtain all of your passwords that are supposed to be secured. ISE suggests that a certain minimum standard of "security guarantees" must be established for password managers going forward.

    Source: ISE, via TechCentral

    About the author

    Brendan is a Sync NI writer with a special interest in the gaming sector, programming, emerging technology, and physics. To connect with Brendan, feel free to send him an email or follow him on Twitter.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

Share this story