A new report suggests that password managers are not as secure as one might think, and that they contain alarming security flaws, including storing the word "password". Main pass of the application in the memory of the computer in clear text. form.
First of all, however, before everyone starts to press the panic button and plans to uninstall their password management program, it should be noted that the security researchers who initiated this report still advocate use of these applications.
The Independent Security Assessors (ISEs) note that password managers are definitely a good thing and that those of the key players (who they reviewed in this study) "add value to the security of the management secrets "and avoid many security problems. password practices (such as weak passwords, reuse passwords again and again, etc.).
Keeping this in mind, ISE evaluated 1Password, Dashlane, KeePass and LastPass on Windows 10 and found that in some cases the application's main password was kept in system memory in a readable format in clear text.
As the company points out, it is not better to store it in a document written on your computer, at least when it comes to a qualified attacker. In these cases, even if the password management application is "locked" – that is, it is running, you must enter the word main password to access the many passwords stored in the application – a hacker can potentially enter by detecting the main password in plain text. in the PC's memory.
And once they are installed, they can access all the usernames and passwords of the victim for each site and service to which they subscribed.
The security company observed, "Using an exclusive reverse engineering tool, ISE analysts were able to quickly evaluate the secrets handling by the password manager in its locked state. ISE discovered that the standard forensic memory investigation can be used to extract the master password and the secrets it is supposed to keep. "
Of course, we must remember that the hacker still needs to access the computer, whether physically or remote, via some sort of backdoor installed by malicious software.
Sanitation of secrets
The ISE also notes: "It is obvious that attempts are being made to rub and [sanitize] memory in all password managers [which were evaluated]. However, each password manager fails to implement appropriate disinfection of secrets for various reasons. "
The organization believes that an urgent solution is needed to facilitate the effective management of passwords by the effective deletion of any data that may entail a risk of compromise when an application is applied. 39; runs in the background in a locked state.
It is hoped that the software manufacturers will linger and take note of the situation and will have an action plan to address the security breaches mentioned above.
In the meantime, until patches are deployed to crush these particular gremlins, ISE recommends not to leave a password-management application in the background – even in a locked state – and that users "end the process completely when they use it". password managers concerned ".
However, it should be noted that any hacker would need to access your PC to be able to detect the secrets of your password, as we have already mentioned. So, as always, it makes sense to install a good antivirus on your system.