Popular password managers found to have serious flaws

The four market-leading password managers all have worrying vulnerabilities

The word password among code

Security researchers have revealed that some of the most popular password managers around are also the most vulnerable, allowing hackers to break in and steal information as easily as they would be able to if the information was stored in a text file.

Independent Security Evaluators (ISE) tested a range of password managers - those embedded in browsers and also paid-for software that claim to stop people from being able to steal passwords. It found that every single tool could be broken into and so failed to sufficiently protect information as claimed.

"Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns," ISE chief executive Stephen Bono said.

The company looked in detail at 1Password, Dashlane, KeePass, and LastPass to see how robust they were at securing users from having their credentials stolen. They all work in the same way - "securely" storing passwords so users are able to keep track of their different credentials across services from one place.

However, every single application had "serious" vulnerabilities, including ease of stealing the master password used to protect the others from prying eyes. Access to the master password means all other passwords stored can be easily obtained, making these platforms pretty useless in terms of their core purpose. 

All four password managers can be hacked when in the background running state when they're locked by the master password, which is the most common way the applications are used. However, the most recent version of 1Password and Dashlane can be broken into and all passwords leaked while in both the locked and unlocked state. All four password managers could be intercepted using keylogger malware.

"People believe using password managers makes their data safer and more secure on their computer," added ISE executive partner Ted Harrington. "Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness."

ISE recommends that users properly shut down their password managers when they're not in use.

"Password managers are an important and increasingly necessary part of our lives. In our opinion, users should expect that their secrets are safeguarded according to a minimum set of standards that we outlined as security guarantees'. Initially our assumption and expectation were that password managers are designed to safeguard secrets in a non-running state', which we identified as true. However, we were surprised in the inconsistency in secrets sanitisation and retention in memory when in a running unlocked state and, more importantly, when placed into a locked state," ISE concluded in its research. 

"If password managers fail to sanitise secrets in a locked running state then this will be the low hanging fruit, that provides the path of least resistance, to successful compromise of a password manager running on a user's workstation.

"Once the minimum set of security guarantees' is met then password managers should be re-evaluated to discover new attack vectors that adversaries may use to compromise password managers and examine possible mitigations for them."

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

Cyber attacks against organizations increasing as more staff work from home
cyber security

Cyber attacks against organizations increasing as more staff work from home

17 May 2021
What is phishing?
phishing

What is phishing?

17 May 2021
Cisco to acquire threat intelligence provider Kenna Security
Acquisition

Cisco to acquire threat intelligence provider Kenna Security

14 May 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

14 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021