New research identified potential weaknesses in popular password managers, but security experts said those products are still the best option for both enterprises and consumers.
Independent Security Evaluators, a Baltimore-based infosec consulting firm, uncovered several password manager vulnerabilities that can expose user credentials in a computer’s memory. In some cases, researchers found, the master password was being stored in the computer’s memory in a plaintext, readable format. In the study titled “Password Managers: Under the Hood of Secrets Management,” ISE evaluated 1Password, Dashlane, KeePass and LastPass on Windows 10 and detailed how password manager vulnerabilities can leave users exposed to malware attacks.
“At the time that the research was done we found that the issues existed around the security of locking the password manager and all of the ones we assessed failed to secure the passwords when put into that ‘locked state’ by the user,” the ISE team said via email. “This meant that users were given a false sense of security. This led us to conclude that not all password managers are created equal. Some do manage the secrets safely while locked. We think that’s it’s important that a security product meet its advertised goals. People should also be empowered to understand what a product can and can’t do, so they can choose something that provides them the level of security they want or need.”
ISE defines “in locked state” as cases where the password manager was just launched but the user has not entered the master password yet, or the user previously entered the master password but subsequently clicked the ‘lock’ or ‘log out’ button, according to the case study.
“We want it to be clear that we think people should continue to use password managers and we hope that this research is helpful to the industry,” ISE said. “We did see that after the research came out that some password managers issued patches and therefore were providing different levels of security.”
TCE Strategy CEO Bryce Austin believes this study about password manager vulnerabilities is making big news because it goes after one of the most sensitive security products available to consumers and businesses alike.
“That being said, the flaw is significantly overblown in my opinion,” Bryce said in an email interview. “The hack requires physical access or a remote hack of a computer such that the cybercriminal has access to the entire computer. If this level of access has already been attained, the password manager hack is no longer as serious of a concern. The cybercriminal could install a keyboard logger to harvest passwords, install viruses to manipulate websites that the user visits, and perform ransomware attacks.”
Why you should still use password managers
While the ISE study does a good job of detailing password manager vulnerabilities and highlighting challenges with such products, the security flaws can be typically resolved quickly, said Andrew Howard, global CTO at infosec consulting firm Kudelski Security.
The use of password managers are still worth it for enterprises, Howard said in an email interview. Using password managers is always better than reusing passwords or storing them in an insecure location, he added.
“Realistically, enterprises have the option of single-sign on,” he said. “Where possible, enterprises should rely on a single identity provider that enables users to authenticate various applications with only one authentication code. This will significantly reduce the need for password managers and improve security at the same time.”
Troy Dearing, head of the threat resistance unit at cloud security vendor Armor, said the benefits of using password managers far outweigh the unique scenarios when a password manager can be exploited to gain access to the users’ passwords.
It’s much more difficult to exploit a password manager than to simply phish/social engineer your target, Dearing said in an email interview.
“There are ways to ensure that when you use password managers that you reduce the chance of abuse even further, such as using a very strong passphrase for the master password, enabling multifactor authentication, not utilizing password managers on any device you do not explicitly trust (if you are traveling, open the password manager on your phone, do not open it on that shared computer in the business center of the hotel),” he said.
But Parham Eftekhari, executive director at the Institute for Critical Infrastructure Technology, didn’t find the report’s research to be surprising.
“Most of these tools are marketed as a shortcut to security, but the reality is that no such silver bullet exists,” Eftekhari said in an email interview.
There is no shortcut for basic cyber hygiene, complex credentials and multifactor authentication, all of which are elements to a strong layered defense, he said.
“Most experts agree that the traditional password model we are familiar with today is unsustainable, insecure and needs to be replaced,” he said. “What innovators are now working on are more secure and scalable alternatives.”
What the password manager firms are saying
The password manager vendors cited in ISE’s report challenged the notion that their products were insecure. The realistic threat from the password manager vulnerabilities stated in the study is limited, according to a statement from 1Password chief security officer Jeffrey Goldberg.
“An attacker who is in a position to exploit this information in memory is already in a very powerful position,” Goldberg said. “No password manager (or anything else) can promise to run securely on a compromised computer.”
Dominik Reichl, who developed the open source password manager KeePass, believes what ISE found is a well-known limitation of the process memory protection for his software. KeePass documentation states the password manager “must make sensitive data available unencryptedly in the process memory,” including passwords as unencrypted string.
According to LogMeIn, which acquired LastPass in 2015, the password manager vulnerabilities research raises awareness to a limitation of protecting secrets in memory against an attacker with administrative privileges.
“In line with the opinion of other password managers, once an attacker has local access and admin privileges, the operating system is compromised and an attacker will end up having access to anything on the device,” the statement read. “This is an independent issue from whether or not a password manager is used.”
The company has implemented changes to LastPass for Applications to mitigate and minimize the risk of the potential attack detailed in the ISE report, LogMeIn said.
“To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind,” according to the statement.
LastPass is also looking into ways to implement additional safeguards and protections, according to the company.
“As always, it’s essential to regularly patch your computers and use an effective antivirus and anti-malware software,” according to the statement.
Dashlane CEO Emmanuel Schalit emphasized that the attack scenario detailed in ISE’s research would pose massive danger to any application or data on the compromised device.
“It is indeed correct that if an attacker has full control of a device at the lowest operating systems level, the attacker can read any and every information on the device,” he said in a statement to SearchSecurity. “This is not the case just with Dashlane or with password managers, but of any software or in fact any device that stores digital information. For that reason, it is generally well known in the world of cybersecurity that the above scenario is an extreme one, in the sense that no mechanism can protect the digital information on a device if that device is already entirely compromised.”
Schalit stressed the data stored by Dashlane on the hard drive is encrypted and cannot be read by an attacker even if the attacker has full control of the device. However, he noted the attack scenario “only applies to the data present in the memory of the device when Dashlane is being used by a user who has typed the Master Password.”
In addition, Schalit wrote that there is “dangerous logic” in using the research to argue that people should not use password managers. “This is like saying, ‘I am only willing to accept that I will be 100% protected. If that is not possible I do not trust any protection,'” he wrote.