Password managers have a security flaw and you should be careful about using them: a new study found bugs in five of the top password managers. A recent Independent Security Evaluators (ISE) study checked Dashlane, LastPass, 1Password, RoboForm and KeePass, and found that they leave a password trail in the RAM of the user’s computers.
Password managers are tools/apps that are meant to help reduce security risks by making it possible for users to use multiple strong passwords for different platforms without having to keep the passwords in memory. Instead, the password managers will save each strong passwords while users only have to remember the password to the password manager.
The ISE audit carried out by Adrian Bednarek shows that hackers who can access users’ computer whether by physically getting hold of the computers or remotely accessing the computers may be able to find the password trail on the computers’ RAM. Adrian tested each of the password managers on a Windows 10 PC and found out that the password managers left a password trail even though the password managers were in locked mode.
Here’s a record Adrian Bednarek made showing how a program he wrote revealed the master password of 1Password 4 while it was locked.
RoboForm, 1Password and LastPass appear to be more vulnerable than the other two. A hacker only has to write a program that would extract a text format of the master passwords of any of the three password managers even when in locked mode from the computer’s memory. This is more fatal because once a hacker gets hold of the master password, he or she can access all other passwords saved on the particular password manager.
Dashlane and KeePass didn’t expose their master passwords in the computer’s memory but a hacker could still find one of the passwords used. In this case, it has to be the last used password by the owner of the PC.
To mitigate the problem, Adrian reached out to the password managers explaining the vulnerability he discovered, to which they all responded differently. For one, they all seem to be already aware of the issue and some of them were already working on an update that will fix the issue. However, 1Password and KeePass brushed it off as a mild issue that can be overlooked since it is a problem associated with Windows.
Indeed, the problem is particularly associated with Windows 10 as ISE noted, it is not yet affecting Mac and mobile apps. The question is, how long before it starts affecting Mac and mobile apps? Maybe it doesn’t necessarily need to start affecting Mac and mobile apps before it will become a major security problem. When hackers realize that password managers have a security flaw, they may develop a malware that will be able to remotely access Windows 10 RAM. Given the number of people using password managers, more than 60 million people from all over the world, this may become a security nightmare.
Since Password Managers have a Security Flaw, here are some security precautions to take.
- Always log out of your password manager because the lock mode is broken.
- Check your computer regularly for malware, use a good and trusted anti-malware software.
- Be careful about browser extensions and pop-ups.
- Installing apps from the web may be too risky. Stick to Google, Microsoft and Apple app stores.
- Password managers have proven to be safe over the years but that doesn’t mean you should save sensitive passwords like smart contract private keys on it.
- Lastly, always update your password manager when newer versions are released because newer versions come with bug fixes and are generally improved for a better experience.
While password managers have a security flaw, deciding not to use them is riskier because; one, as a human being you may not be able to remember multiple strong passwords. Secondly, it will be unwise to repeat a password(s) for all your platforms because you will make it easier for hackers to hack you.