You are here

Password Manager Flaws Can Expose Data on Compromised Devices

Password Manager Flaws Can Expose Data on Compromised Devices

Created: Thursday, February 21, 2019 - 01:53
Categories:
Cybersecurity

Researchers at Independent Security Evaluators (ISE) examined five popular password managers and found that for each it was possible to extract “trivial secrets” from a locked password manager, which sometimes included the master password. Assessing the underlying functionality of 1Password, Dashlane, KeePass and LastPass on Windows 10, the researchers discovered that in some cases the master password could be found in plaintext in the computer’s memory when the password manager was locked and that they could extract the master password using standard memory forensics. “One hundred percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” said ISE CEO Stephen Bono. Still, the researchers also appreciate the benefits of password managers. They note that all of the password managers they examined add value to the security posture of secrets management. Quoting cybersecurity expert Troy Hunt, they stated, “Password managers don’t have to be perfect, they just have to be better than not having one.” Additionally, they note that password managers guide users to avoid bad password practices such as using weak passwords, common passwords, generic passwords, and password reuse. Read the report at ISE.