Popular password managers found to have serious flaws

The four market-leading password managers all have worrying vulnerabilities

The word password among code

Security researchers have revealed that some of the most popular password managers around are also the most vulnerable, allowing hackers to break in and steal information as easily as they would be able to if the information was stored in a text file.

Independent Security Evaluators (ISE) tested a range of password managers - those embedded in browsers and also paid-for software that claim to stop people from being able to steal passwords. It found that every single tool could be broken into and so failed to sufficiently protect information as claimed.

"Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns," ISE chief executive Stephen Bono said.

The company looked in detail at 1Password, Dashlane, KeePass, and LastPass to see how robust they were at securing users from having their credentials stolen. They all work in the same way - "securely" storing passwords so users are able to keep track of their different credentials across services from one place.

However, every single application had "serious" vulnerabilities, including ease of stealing the master password used to protect the others from prying eyes. Access to the master password means all other passwords stored can be easily obtained, making these platforms pretty useless in terms of their core purpose. 

All four password managers can be hacked when in the background running state when they're locked by the master password, which is the most common way the applications are used. However, the most recent version of 1Password and Dashlane can be broken into and all passwords leaked while in both the locked and unlocked state. All four password managers could be intercepted using keylogger malware.

"People believe using password managers makes their data safer and more secure on their computer," added ISE executive partner Ted Harrington. "Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness."

ISE recommends that users properly shut down their password managers when they're not in use.

"Password managers are an important and increasingly necessary part of our lives. In our opinion, users should expect that their secrets are safeguarded according to a minimum set of standards that we outlined as security guarantees'. Initially our assumption and expectation were that password managers are designed to safeguard secrets in a non-running state', which we identified as true. However, we were surprised in the inconsistency in secrets sanitisation and retention in memory when in a running unlocked state and, more importantly, when placed into a locked state," ISE concluded in its research. 

"If password managers fail to sanitise secrets in a locked running state then this will be the low hanging fruit, that provides the path of least resistance, to successful compromise of a password manager running on a user's workstation.

"Once the minimum set of security guarantees' is met then password managers should be re-evaluated to discover new attack vectors that adversaries may use to compromise password managers and examine possible mitigations for them."

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Telegram bots are out to steal your one-time passwords
hacking

Telegram bots are out to steal your one-time passwords

30 Sep 2021
What makes a password secure?
Sponsored

What makes a password secure?

28 Sep 2021
Robust password policies cut cyber attacks by 60%
cyber security

Robust password policies cut cyber attacks by 60%

13 Sep 2021
1Password Business review: First choice for business travel and guest accounts
Security

1Password Business review: First choice for business travel and guest accounts

16 Jul 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021