Researchers have uncovered a surprising security weakness in password managers – several popular products appear to do a weak job at scrubbing passwords from memory once they are no longer being used.
An analysis by Independent Security Evaluators (ISE) uncovered the problem to different degrees in versions of 1Password, Dashlane, LastPass and KeePass.
The good news is that all managers successfully secured passwords when the software wasn’t running – when passwords, including the master password, were sitting in the database in an encrypted state.
However, things went downhill a bit when ISE looked at how these products secure passwords in both the locked state (running prior to entering the master password or running after logging out), and the fully unlocked state (after entering the master password).
Rather than generalise, it’s best to describe the issues for each product.
1Password4 for Windows (v22.214.171.1246)
This legacy version keeps an obfuscated version of the master password in memory which isn’t scrubbed when returning to a locked state. Under certain conditions, a vulnerable cleartext version is left in memory.
1Password7 for Windows (v7.2.576)
Despite being the current version, the researchers rated it as less secure than 1Password4 because it decrypts and caches all database passwords rather one at a time. 1Password7 also fails to scrub passwords from memory, including the master password, when moving to a locked state. This compromises the effectiveness of the lock button, requiring the user to completely exit the program.
Dashlane for Windows (v6.1843.0)
Exposes only one password at a time in memory until a user updates an entry at which point the entire database is exposed in plaintext. This remains true even when the user locks the database.
KeePass Password Safe (v2.40)
Database entries are not scrubbed from memory after each is used although the master password was, thankfully, not recoverable.
LastPass for Applications (v4.1.59)
Database entries remain in memory even when the application is locked. Furthermore, when deriving the decryption key, the master password is “leaked into a string buffer” where it is not wiped, even when the application is locked (note: this version is used to manage application passwords and is distinct from the web plugin).
Clearly, if passwords – especially master passwords – are hanging around in memory when the application is locked, this raises the possibility that malware could steal this data after infecting a computer.
The counter-argument is that if malware infects your computer, pretty much everything on that system is at risk whether it’s obfuscated in memory or not. No security application can possibly guarantee to defend against this sort of threat.
Some of the affected vendors have publicly defended their products, claiming that the issues discovered by the researchers are part of complex design trade-offs.
LastPass also claimed it had cured the problems found in its product and pointed out that an attacker would still require privileged access to a user’s PC.
Is this the end for password managers?
In short, no. Our advice is to continue using password managers because the issues found are still heavily outweighed by the known advantages of using one and will probably be tidied up through updates anyway.
What matters is that researchers prod these products for weaknesses and that the vendors do everything they can to fix them as quickly as possible.
If in doubt, one idea is to shut down (i.e. close) a password manager when it’s not being used.
And, of course, don’t forget to use two-factor authentication whenever you can. That way, even if someone has your password, they still can’t log in as you.