Password managers are a useful way to protect your Internet accounts. But the software that runs them is not always perfect.
According to new research, four popular password managers for Windows 10 can actually let your connection information filter into the PC's memory. This is not good news if your computer is secretly invaded by malware. a hacker could potentially recover sensitive data at the password manager activation.
The research, released Tuesday, comes from Independent Security Evaluators (ISE), a Baltimore-based company that has reviewed the security of four products, including 1Password, Dashlane, KeePass, and LastPass.. The company was surprised to find that the products did not always encrypt and then delete the password data in the background processes of the PC. Even the master password, which can be used to unlock all your stored passwords, can be exposed.
For example, 1Password7 will decrypt all your individual passwords and store them in the computer's memory once the application is loaded. The login credentials, including the master password, will also be kept in the computer's memory when the product is running, but in the locked state . "The user must completely quit the software to erase the sensitive information from the memory," the search adds.
Dashlane, on the other hand, will only expose the login information, depending on the password that the user wants to access. The Dashlane app will expose the entire database in plain text only when the user wishes to update a password. LastPass presents a similar problem and may also disclose the credentials even after returning the application to a locked state.
ISE has released the search to encourage password manager providers to better protect login information when they load to a PC, especially when the product becomes locked again.
"Given the vast base of password manager users already in use, these vulnerabilities will cause hackers to target and steal data from these computers through malware attacks," said Adrian Bednarek. researcher at ISE.
But not everyone agrees on the seriousness of the threat. To commit these attacks, hackers should make you install certain malicious software, which can open your PC to all kinds of problems, not just stealing passwords.
"The realistic threat of this problem is limited," Jeffrey Goldberg, developer of security at 1Password, told PCMag. "No password manager (or anything else) can promise to run safely on a compromised computer."
1Password and KeePass also explained to PCMag that the security issues raised by ISE were not new and that they had previously been mentioned as known compromises with their products. For example, with the Windows operating system, KeePass must decrypt some of the sensitive data in order to show you a password.
"Solving this particular problem introduces new, greater security risks," Goldberg said. 1Password should switch to a different and older programming language, which could be less reliable, and leave users insecure, he added.
LastPass, however, said it had introduced new safeguards to prevent the theft of passwords by malicious software. For example, the company's Windows application will now be closed and clear the system memory when the user logs out.
The ISE search is a reminder to keep abreast of the limits of password managers. applications will not protect your login credentials in the event that your PC is infected with a malicious program that includes keystroke logging, screen capture, or text copying.
To stay safe, ISE recommends that you use reputable antivirus products and completely close the password manager once you are done. This will ensure that the product will not actively disclose your password identifiers in the background. To avoid malware, avoid downloading applications from unknown sources or mysterious attachments.