You have probably heard of password managers, and you probably think they are pretty safe, right? Well, there is new research out there that may might make you think twice, especially if you use password managers like KeePass, 1Password, Lastpass, or Dashlane. Frankly, I’m not worried about it, but read on.
Specifically, this study looked at the instances of passwords leaking from a host compute or focused on if these password managers were accidently leaving passwords in the computer’s memory.
What was found was that all of the password managers that were looked at did a good job at keeping these passwords secure when in a state where it was “not running.” This means that a hacker would not be able to force the program into giving away the user’s passwords. However, it was also noted that though each password manager that was tested attempted to scrub these passwords from the memory of the computer, it wasn’t always successful…meaning, your passwords could still be in the memory.
Some of these programs, like 1Password, seemed to have left the master password, but also the secret key for the program. This could possibly allow a hacker to access the info in this program. But, it’s important to note that these programs are trying to remove this information, but due to various situational issues, it’s not always possible.
Another program, LastPass, was also examined, and it, too, caused some concern amongst researchers. Basically, the program scrambles the passwords when the user is typing them in, but they are decrypted into the computer’s memory. Additionally, even when the software is locked, the passwords are still sitting in the memory just waiting for someone to extract it.
KeePass, which is yet another password manager, was also looked at here. In this case, it removes the master password from the computer’s memory, and it is not able to be recovered. However, other credentials that were stored in KeePass were able to be accessed, which is also problematic.
Should you be worried about this? Well, it depends on your personal thought process. Some people probably won’t care too much, and others won’t be affected because they don’t use password managers that have these issues. Since the researchers pointed out these issues each password manager has done their own updates and corrected any issues. The real vulnerability isn’t the security of the password managers but the security of the devices, their users and if the users are deploying the same password across multiple accounts. Using the same password over and over is the risk here. So get a password manager so you can have a different password everywhere.
Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.