Password managers are great tools for enhancing your online safety and, believe me, they can certainly make your life easier. But as always, like anything powered by software, password managers are not perfect and they are not insensitive to malware.
This new research proves just that. According to new information released by Independent Security Evaluators (ISE), at least five known password managers, including 1Password, Dashlane, KeePass, and LastPass, could potentially contain unencrypted credentials and passwords when They are run in the background.
How serious are these problems? Or are they nothing to fear? Let's break them.
It's as if you leave your keys under the mat of your PC
The ISE researchers (read: white hats aka the good pirates) stated that the password managers that they reviewed did not encrypt and always delete the password from a computer's memory when transitioning from an unlocked state (the password manager is running) to a locked state (the user is logged out).
1Password, in particular, keeps the master password in memory when it is unlocked and fails to erase it when it returns to its locked state. In some cases, the master password can even be viewed in clear when the software is locked. Yes, in a way, it is as if you leave your keys under your doormat.
Surprisingly, the most recent version of 1Password, 1Password7, is even worse as it decrypts all individual passwords in the ISE test, puts them all in the computer's memory and does not erase them all. by going from the unlocked state.
In the case of Dashlane, only the last active password is exposed in memory when it is running. However, when a user updates the information of an entry, he displays his entire database in plain text in the computer's memory. Even worse, this information stays there even after the Dashlane user logs out.
Similarly, KeePass and LastPass have also shown vulnerabilities by keeping some of their unencrypted entries in the memory of a computer even after they return to the locked state.
In most cases, the complete shutdown of a password manager (not just the disconnect) is the only way to clear the cached passwords of your computer's memory.
They are only as strong as the defenses of your computer
Is it time to panic? Not exactly. Here is an important thing to keep in mind about these flaws: they are only exploitable if a hacker has already successfully installed a malware on your computer. Whatever the case may be, your computer's operating system has built-in defenses against this type of memory access attack.
If someone can already analyze the cached data of your password manager, your entire system is already compromised and your computer has bigger problems than that. Spoiler alert: keyloggers, spyware, remote access software and ransomware can cause even more serious damage, and your password for CuteShoes.com could be the icing on the cake.
In fact, these security concerns regarding password managers are not new and they are all inherent to their operation in an operating system such as Windows 10. Fortunately, developers still propose new mechanisms to protect Passwords handlers against passwords in clear memory exposures and general malware attacks.
The bottom line is this: if you do not use good security measures on your computer, nothing, not even your password manager, can protect you.
Keeping your software up-to-date by regularly patching, using reliable security software, strong passwords, and two-factor authentication are just a few of the best practices you can take to protect your gadgets. Click here for more. Oh, and before I forget, the use of a password manager is always highly recommended. Please, do not stop using yours.
Premium: Our sponsor F-Secure TOTAL is a complete cybersecurity package that includes password protection. Store all your important credentials in one secure password manager and use them faster and easier to connect to your favorite services or to pay securely online. Just visit F-Secure.com/Kim.
Nest locks you out of your account unless you change your lame password
In the last month, Google's smart doorbell has hit the headlines for all the wrong reasons. Many of them have been ripped off with horror movies with fake warnings of nuclear attack and even worse on some occasions. Well, it seems that Google's solution is to make users change their passwords. Will this solve Nest's image issues?
Click or tap to find out why Google thinks it will help.