Over 60 million users of password managers worldwide are vulnerable to critical flaws in the most popular password managers that allow attackers to extract master passwords and other data from such applications.
Research by security consulting firm ISE has revealed that some of the most popular password managers worldwide, such as 1Password 7, 1Password 4, Dashlane, KeePass, and LastPass feature security vulnerabilities that allow attackers to gain access to master passwords and individual passwords of millions of Internet users worldwide.
These password managers are also used by tens of thousands of organisations across the globe and allow people not only to secure their online accounts with strong passwords but also save them from the hassle of remembering different passwords for different online accounts.
Common security flaws in most password managers
According to the researchers, in order to completely secure sensitive user data from external actors, password managers must be configured in such a way that even when they are not running, there should be no data stored on disk that could be leveraged by an attacker to compromise a database. At the same time, the password database should also be strongly encrypted to ensure that even if an attacker gains access to it, the attacker cannot decrypt it.
However, upon analysing popular password managers such as 1Password 7, 1Password 4, Dashlane, KeePass, and LastPass, the researchers concluded that each of them featured vulnerabilities that could allow attackers to gain access to sensitive databases and steal master passwords and accompanying user data.
For example, in the case of 1Password 4, the researchers observed that when it is unlocked, the master password remains in memory and the software fails to scrub the obfuscated password memory region sufficiently. In certain cases, the master password is left in memory in clear text even when the application is locked.
Similarly, they also observed that 1Password7 scrubs neither the individual passwords, the master password, nor the secret key from memory when transitioning from unlocked to locked, thereby rendering the lock button ineffective and sensitive information stays in memory until the user exits the software entirely.
Dashlane, another popular password manager, “exposes only the active entry a user is interacting with. So, at most, the last active entry is exposed in memory while Dashlane is in an unlocked and locked state. However, once a user updates any information in an entry, Dashlane exposes the entire database plaintext in memory and it remains there even after Dashlane is logged out of or ‘locked’,” they explained.
“All password managers we examined sufficiently secured user secrets while in a ‘not running’ state. That is, if a password database were to be extracted from disk and if a strong master password was used, then brute forcing of a password manager would be computationally prohibitive.
“Each password manager also attempted to scrub secrets from memory. But residual buffers remained that contained secrets, most likely due to memory leaks, lost memory references, or complex GUI frameworks which do not expose internal memory management mechanisms to sanitize secrets,” they added.
According to ISE, the most important thing to do for firms offering password managers is to ensure that no residual data is left on disk when a password manager is placed into a locked state. This is because as long as they remain in locked state, attackers can exploit vulnerabilities to extract information that are stored in clear text in memory.
Password managers are still the best option for netizens
Commenting on the findings of ISE researchers, Amit Sethi, senior principal consultant at Synopsys, said that compared to all the things that can go wrong when people use weak passwords or reuse passwords across websites, these issues are quite minor. People should not let these weaknesses deter them from using a good password manager.
“The main risk here is that somebody who gets access to your computer while your password manager is running but locked may be able to get access to your passwords. The first step is to upgrade your password manager to the latest available version. Almost all of the password managers that were studied have newer versions available that may have addressed these weaknesses. Then, make sure that you are using a strong master password that would be difficult for others to guess or brute-force.
“If you want to be more careful, close your password manager completely whenever leave your computer unattended. Do not simply lock the password manager and hope that your passwords will be safe. Finally, enable disk encryption on your computer. Then, shut down your computer or place it in hibernation mode if possible whenever you leave it unattended. Alternately, avoid leaving your computer unattended,” he added.