Password mangers are great and they absolutely should be used, especially as we are in an age of almost every company offering an online presence that requires a sign up and multimillion record account breaches.
It was with this in mind that I was very disappointed to read yet another article that stated: “Flaws discovered in popular password managers, report claims.”
As someone who uses different password managers for work and personal use, I was immediately concerned about what the flaw could be. Was it a shared library that had been found vulnerable? Some sort of authentication bypass mechanism?
Nope. None of that. The “flaws” that were discovered were not flaws with the password managers at all, but are down to how the operating system works. The article might have well have said: “Flaw discovered in all word processors that could lead to GDPR exposure” and it would have been just as accurate, because each one of the flaws listed needs some level of access to the computer’s operating system and once you have that level of access, it is pretty much game over.
No matter what you have installed in terms of anti-virus, it will all fall down in the face of access to the operating system - whether that access is direct via an unlocked machine and a malicious internal user, or remotely thanks to a phishing attack or clickbait campaign.
The bigger flaw here is not that the password manager has the master password held in memory in plaintext, it is that the master password is being used in such a way in the first place! Most password managers offer some level of named user access.
In these cases, it should be a named user that logs on and not the admin/master level account. Of course, those accounts should only have access to what they need access to in order to do their job.
While this does not fix the issue of the password being stored in memory in plaintext, it does mitigate the amount of information a malicious party could get access to. While it is still not great it is certainly better than doing the equivalent of logging in everywhere with a domain admin or root level account.
Another flaw listed in the article was that of a keylogger being installed on the computer could read passwords as they are typed. Yes, this is a concern, but one has to ask how a keylogger got onto the system in the first place? All too often, IT will give local admin access to users to ease the pain of the user wanting to install software, change the background and so on. Most keyloggers need to install a driver to intercept keyboard presses and as such, the attack requires local admin access or physical access to the machine to install a dongle.
Ironically, the sites that block copy and paste for passwords actually make the keylogger method more attractive; otherwise, the keylogger will just record “ctrl-v” for a password rather than an actual typed password!
In summary, password managers are safe. Yes, any locally installed components should be upgraded as soon as new versions are out, but stop giving users local admin rights as the risks are much reduced.
Join our webinar on the 29th March for a discussion on "Making Password Managers a Tangible Metric" with LogMeIn. 3pm GMT/11am EDT, registration is open.