Password Managers lose data in memory, but you still need to use one – Naked Security


Researchers have discovered a surprising security weakness in password managers – many popular products seem to fail to erase passwords from memory once they are no longer used.

An analysis by independent security evaluators (ISEs) revealed the problem to varying degrees in the versions of 1Password, Dashlane, LastPass, and KeePass.

The good news is that all managers managed to secure passwords when the software was not running, when passwords, including the master password, were encoded in the database .

However, things got a little worse when ISE looked at how these products secure passwords in the locked state (executed before entering the master password or after disconnecting) and at the same time. fully unlocked state (after entering the master password).

Rather than generalize, it is better to describe the problems of each product.

1Password4 for Windows (V4.6.2.626)

This legacy version retains in memory an obfuscated version of the master password that is not cleared when returning to a locked state. Under certain conditions, a clear version of the vulnerable text is left in memory.

1Password7 for Windows (v7.2.576)

Although this version is the current version, researchers have described it as less secure than 1Password4 because it decrypts and caches all database passwords rather than one after the other. 1Password7 also fails to remove passwords from memory, including the master password, when moving to a locked state. This compromises the effectiveness of the lock button, forcing the user to completely exit the program.

Dashlane for Windows (V6.1843.0)

Only expose one password at a time in memory until a user updates an entry. The entire database is then exposed in clear text.. This remains true even when the user locks the database.