Flaws Discovered in Popular Password Managers, Report Claims

An analysis of multiple top password manager products has revealed vulnerabilities in the tools they use that could potentially put the security of user's credentials at risk, according to Independent Security Evaluators (ISE).

A new study, Under the Hood of Secrets Management, found that a variety of different password managers, including 1Password and LastPass, have fundamental flaws.

"One hundred percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” said ISE CEO Stephen Bono in a press release. 

“Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”

Security weaknesses were also found in the Dashlane and KeePass password managers, which came to light after ISE researchers reportedly examined the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked. 

ISE researchers had previously analyzed a set of password managers, so they expected to find improved security measures with their most recent study. Despite the password managers' promise to find a solution to the inherent security risks in passwords, those that were analyzed stored data in plain text when locked. 

One major finding was that, in certain instances, the master password was residing in the computer’s memory in a plaintext readable format – no safer than storing it in a document or on the desktop as far as an adversary is concerned,” the report said.

“Users are led to believe the information is secure when the password manager is locked. Though, once the master password is available to the attacker, they can decrypt the password manager database – the stored secrets, usernames and passwords. ISE demonstrated it is possible to extract master passwords and other login credentials from memory while the password manager was locked.”

Despite the findings though, ISE was quick to add that “First and foremost, password managers are a good thing. All password managers we have examined add value to the security posture of secrets management.”

For more on password security and password managers, join our upcoming Infosecurity webinar.

What’s Hot on Infosecurity Magazine?