Researchers have discovered a surprising security weakness in password managers – many popular products seem to fail to erase passwords from memory once they are no longer used.
An analysis by independent security evaluators (ISEs) revealed the problem to varying degrees in the versions of 1Password, Dashlane, LastPass, and KeePass.
The good news is that all managers managed to secure passwords when the software was not running, when passwords, including the master password, were encoded in the database .
However, things got a little worse when ISE looked at how these products secure passwords in the locked state (executed before entering the master password or after disconnecting) and at the same time. fully unlocked state (after entering the master password).
Rather than generalize, it is better to describe the problems of each product.
1Password4 for Windows (V126.96.36.1996)
This legacy version retains in memory an obfuscated version of the master password that is not cleared when returning to a locked state. Under certain conditions, a clear version of the vulnerable text is left in memory.
1Password7 for Windows (v7.2.576)
Although this version is the current version, researchers have described it as less secure than 1Password4 because it decrypts and caches all database passwords rather than one after the other. 1Password7 also fails to remove passwords from memory, including the master password, when moving to a locked state. This compromises the effectiveness of the lock button, forcing the user to completely exit the program.
Dashlane for Windows (V6.1843.0)
Only expose one password at a time in memory until a user updates an entry. The entire database is then exposed in clear text.. This remains true even when the user locks the database.
KeePass Password Safe (V2.40)
Database entries are not cleared from memory after use, although, fortunately, the master password is not recoverable.
LastPass for applications (V4.1.59)
The database entries remain in memory even when the application is locked. In addition, when deriving the decryption key, the master password is "filtered in a string buffer" where it is not cleared even when the application is locked (note: this version is used to manage the passwords of the application and is distinct from the web plugin). .
It is clear that if passwords – especially master passwords – hang in memory when the application is locked, it suggests that malware can steal this data after it has infected a computer.
The counter-argument is that if malware infects your computer, all or part of that system is at risk, whether obscured in memory or not. No security application can possibly guarantee defense against this type of threat.
Some of the providers involved publicly defended their products, claiming that the problems discovered by the researchers were part of complex design compromises.
LastPass also claimed to have solved the problems encountered in its product and indicated that an attacker would still need privileged access to a user's PC.
Is this the end for password managers?
In short no. Our advice is to continue using Password Managers, as the issues found are still largely outweighed by the known benefits of their use and will likely be resolved by updates anyway.
What matters is that researchers look at these weaknesses and that suppliers do everything to repair them as quickly as possible.
If in doubt, the idea is to close (ie close) a password manager when it is not in use.
And of course, remember to use two-factor authentication whenever you can. So, even if someone has your password, he still can not log in as you.