User credentials exposed by 'massive flaw' in some password managers

News by Rene Millman

Attackers can access the master password of many popular password managers, researchers have found, exposing users to massive risk of credential theft.

Many of the top password manager tools have severe vulnerabilities that expose the data they are designed to protect, rendering them no more secure than saving passwords in a text file, according to a new study by researchers at Independent Security Evaluators (ISE).

In a new report titled "Under the Hood of Secrets Management", researchers found weaknesses with top password managers: 1Password, Dashlane, KeePass and LastPass. ISE examined the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked. More than 60 million individuals and at least 83,000 businesses worldwide rely on the password managers covered by the study.

One major finding was that, in certain instances, the master password was residing in the computer’s memory in a plaintext readable format – no safer than storing it in a document or on the desktop as far as an adversary is concerned. Users are led to believe the information is secure when the password manager is locked.

Once the master password is available to the attacker, they can decrypt the password manager database – the stored secrets, usernames and passwords. ISE demonstrated it is possible to extract master passwords and other login credentials from memory while the password manager was locked.

Using a proprietary, reverse engineering tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard.

"Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks," said lead researcher, Adrian Bednarek. "Once they have your master password, it’s game over." 

The report recommended that to keep secrets more secure until vendors fix the issues, password manager users should not leave a password manager running in the background, even in a locked state, and terminate the process completely if they are using one of the affected password managers. 

Javvad Malik, security advocate at AlienVault, told SC Media UK that password managers themselves can be targeted, so it's important that users secure them using a strong and unique master password, and implement full disk encryption on the workstation they use.

"Password managers, like any software, can have vulnerabilities discovered, therefore it is important to keep the software up to date for the password manager, as well as the machine upon which it is installed," he said.

Ojas Rege, chief strategy officer at MobileIron, told SC that password managers are useful, but they try to solve the wrong problem.

"Yes, they make it harder to get to a password but they don’t address the root issue: Passwords are fundamentally insecure," he said.

"Malicious hackers in this day and age are able to easily build powerful and fast password-cracking tools that run through tens of millions of possible password combinations in a second. Although password managers increase security, they are not enough to deal with the modern hacker. The recently reported flaws in popular password managers are further evidence of this."

"As an industry, we must focus on addressing the root cause of most data breaches by dumping the outdated password once and for all," he added.

Jake Moore, cyber security expert at ESET UK, told SC that despite the flaw, he would still recommend using a password manager. "Using a password manager is still far better than not, but this flaw does open up an opportunity for hackers," he said.

"Storing passwords in the memory of a computer in this format without sanitisation is not advised, but for this attack to pay off, the hacker would need access to the RAM," he added. "This would require either physical access to the machine or remote access into the victim’s machine. To further protect accounts then, it is strongly advised that users close the password manager completely when not using it and also set up two-factor authentication to be safe."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews