Password Managers store master passwords in plain text in PC memory

PASSWORD MANAGERS, they are safe no? Far less, according to a report from Independent Security Assessors (ISEs), who found key passwords for such tools stored as plain text in a PC's memory.

Using malware targeting RAM and some fairly standard memory techniques, hackers could theoretically extract a clear master password or individual credentials for tools such as 1Passworkd, LastPass, and Dashlane on Windows 10. , then use them to violate password managers.

Such a security vulnerability would require that spyware-like malware already exists on a targeted PC and that malware would likely need system administrator privileges to access the data stored in memory. At this point, it can be said that a PC is already bothered and that access to a password manager is not the main concern.

However, Stephen Bono, CEO of ISE, still recommended caution: "100% of products analyzed by ISE did not offer sufficient security to protect users' passwords, as announced."

"Although password managers provide a utility to store credentials / passwords and limit password reuse, these applications are a vulnerable target for mass collection of this data through campaigns. malicious hacking, "he added.

Adrian Bednare, senior researcher at ISE, painted a dark picture, pointing out that once the hackers get the master password, "it's over."

"Given the vast base of password manager users already in use, these vulnerabilities will cause hackers to target and steal data from these computers via malware attacks," Bednare said.

Should you panic? Probably not, as the report indicates, password managers are always better than the traditional technique of storing the password in your head or reusing the same password for multiple services.

"First of all, password managers are a good thing," says the report. "All of the password managers we reviewed add value to the security of secrets management."

But the report is a blow in the back for password managers providers, who will want to put in place mitigation measures to prevent hackers from exploring such vulnerability.

LastPass said SC Magazine that he has already implemented a fix and downplayed the entire situation, noting that "in order to read the memory of an application, an attacker would need local access and administrator privileges on the compromised computer ".

We believe that other password manager providers will quickly follow suit and fix or mitigate vulnerabilities. But all of this just shows that we are never as safe as we might think. μ

Further reading