Password managers are storing plain-text master passwords in PC memory

Joanna Estrada
February 22, 2019

Password managers have become almost mandatory for heavy computer users who want to stay secure against the always-growing number of attacks, but recent research discovered a major vulnerability in four of the most popular such apps on Windows 10.

Researchers at ISE declared on Tuesday that the likes of 1Password, KeePass, LastPass, and Dashline all have vulnerabilities that would potentially allow malicious software on a Windows machine to steal either the master password or individual passwords stored by the applications.

Password manager companies encrypt your data and don't store your master password at their servers so even in an event of a breach; hackers will only get access to mumbo-jumbo of data. Even with the mild flaws ISE found, a password manager remains by far the best way to keep your login credentials secure, and experts routinely recommend them as a way to manage multiple unique and strong passphrases for your online accounts. "However, each password manager fails in implementing proper secrets sanitization for various reasons".

Until the flaws are fixed, the ISE recommends that users don't leave their password manager apps running in the background - and rather open and close the apps each time they are used.

However, they also discovered that the standard memory forensics could be exploited via keylogging or Clipboard sniffing for extracting the master password and other passwords in running and locked state.

Nevertheless, ISE was still "surprised in the inconsistency" with which password managers retained and sanitized master passwords in memory. LastPass exhibits a similar problem, and can also leak the credentials even after the application returns to a locked state.

1Password and KeePass also told PCMag that the security issues cited by ISE are nothing new, and have been previously mentioned as known trade-offs with their products.

LastPass CTO Sandor Palfy says they've already implemented changes to LastPass for Applications created to mitigate and minimize the risk of the potential attack detailed in the report.

"Fixing this particular problem introduces new, greater security risks", Goldberg said. Long term, we may not need to make such a tradeoff. I stand by our decision.

He also pointed out that the realistic threat from this issue is limited. To some degree, every one of the four password managers left passwords - either the master password or individual credentials - accessible in memory. "No password manager (or anything else) can promise to run securely on a compromised computer", 1Password said. Please note that this does not apply to the data Dashlane stores on your device. The data stored by Dashlane on the device (i.e. on the hard drive) is encrypted and can not be read by an attacker even if the attacker has full control of the device.

What's very important to know is that reading the master password from the PC's memory requires access to the device, either physical or remote.

No solution is 100 percent ideal and users should not stop using password managers as they protect against the most common threat (reusing of potentially compromised passwords). In comparison, an attacker being able to specifically take control of the device of a single user is a much less likely threat, Schalit noted.

Updated A bunch of infosec bods are taking some of the most popular password managers to task after an audit revealed some mildly annoying, non-world-ending security shortcomings.

Other reports by Click Lancashire

Discuss This Article