Password Managers aren’t as secure as you might assume – Security researchers claim that hackers can steal master passwords in PC memory.
Password managers are considered as one of the most suitable options when it comes to keeping your online credentials safe from being hijacked and exploited by cybercriminals. However, unfortunately, the latest research findings by Independent Security Evaluators (ISE) researchers claim otherwise.
According to ISE researchers, most of the popular and widely used Windows-based password managers such as Dashlane, LastPass, 1Password, and KeePass contain security flaws. It must be noted that these password managers are currently in use by a total of 60 million users while 93,000 businesses across the world are benefitting from them.
To identify the reliability of password managers, ISE researchers reverse engineered every single software package and assessed the way a particular app handled the data in different states. These included when the app is locked and unlocked, when running and idle, running and unlocked or locked. It was identified that all the tested password managers “sufficiently protect the master password and individual passwords while they are not running.”
However, they also discovered that the standard memory forensics could be exploited via keylogging or Clipboard sniffing for extracting the master password and other passwords in running and locked state. Researchers concluded that:
“No matter how closely a password manager may adhere to our proposed ‘Security Guarantees’, victims of keylogging or clipboard sniffing malware/methods have no protection,” said the company’s blog post.
Furthermore, in an unlocked state, it isn’t possible to extract most or all of the records into the memory, only the single actively viewed one can be extracted while in an unlocked state the master passwords mustn’t be present in any form whether encrypted or obfuscated. The assessed password managers failed to comply with at least one of these rules of protection.
While users strictly believe that their data is safe in the locked state but if the master password is somehow obtained by a hacker, it is quite easy to decrypt the password manager database, which stores login credentials and other secrets. Researchers could extract passwords and login credentials from the memory in the password managers’ locked state. They believe that if the device is infected via some malware, it can also perform this feat.
Moreover, it was observed that by targeting PC RAM through different tactics, or using standard memory forensics cybercriminals can extract individual credentials or plain text master password for LastPass, 1Password and Dashlane, etc.
However, to do so, they would need spyware-grade malware to infect the PC after obtaining system admin rights. Stephen Bono, CEO of ISE stated that a hundred percent of the applications evaluated for the test failed to provide the necessary security to protect users’ passwords.
Researchers are of the opinion that it is not feasible to stop using password managers however, users need to appropriately shut down the application when it is not in use and also they should opt for full disk encryption. Developers also need to make the software resilient enough in the locked and unlocked state, and capable of thwarting software-based keyloggers.