Popular password managers found to have serious flaws

The four market-leading password managers all have worrying vulnerabilities

The word password among code

Security researchers have revealed that some of the most popular password managers around are also the most vulnerable, allowing hackers to break in and steal information as easily as they would be able to if the information was stored in a text file.

Independent Security Evaluators (ISE) tested a range of password managers - those embedded in browsers and also paid-for software that claim to stop people from being able to steal passwords. It found that every single tool could be broken into and so failed to sufficiently protect information as claimed.

"Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns," ISE chief executive Stephen Bono said.

The company looked in detail at 1Password, Dashlane, KeePass, and LastPass to see how robust they were at securing users from having their credentials stolen. They all work in the same way - "securely" storing passwords so users are able to keep track of their different credentials across services from one place.

Advertisement - Article continues below
Advertisement - Article continues below

However, every single application had "serious" vulnerabilities, including ease of stealing the master password used to protect the others from prying eyes. Access to the master password means all other passwords stored can be easily obtained, making these platforms pretty useless in terms of their core purpose. 

All four password managers can be hacked when in the background running state when they're locked by the master password, which is the most common way the applications are used. However, the most recent version of 1Password and Dashlane can be broken into and all passwords leaked while in both the locked and unlocked state. All four password managers could be intercepted using keylogger malware.

"People believe using password managers makes their data safer and more secure on their computer," added ISE executive partner Ted Harrington. "Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness."

ISE recommends that users properly shut down their password managers when they're not in use.

"Password managers are an important and increasingly necessary part of our lives. In our opinion, users should expect that their secrets are safeguarded according to a minimum set of standards that we outlined as security guarantees'. Initially our assumption and expectation were that password managers are designed to safeguard secrets in a non-running state', which we identified as true. However, we were surprised in the inconsistency in secrets sanitisation and retention in memory when in a running unlocked state and, more importantly, when placed into a locked state," ISE concluded in its research. 

"If password managers fail to sanitise secrets in a locked running state then this will be the low hanging fruit, that provides the path of least resistance, to successful compromise of a password manager running on a user's workstation.

Advertisement - Article continues below

"Once the minimum set of security guarantees' is met then password managers should be re-evaluated to discover new attack vectors that adversaries may use to compromise password managers and examine possible mitigations for them."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020