Security researchers at Independent Security Evaluators (ISE) claim to have found a wide range of vulnerabilities in popular software password managers, 'rendering them no more secure than saving passwords in a text file'.
Password managers are a popular means of managing the multitudinous online accounts that are a seeming necessity of modern life. With industry recommendations being to use a separate password for every service - in order to prevent 'credential stuffing' attacks where a breach on one service provides valid login details for a range of others - a password manager, which saves encrypted copies of usernames and passwords that can only be unlocked for use using a single master password, is a near-necessity. While many rely upon the password management functionality built into their web browser or operating system, others opt for third-party dedicated utilities - but, ISE researchers claim, they may offer a false sense of security.
'100 percent of the products that ISE analysed failed to provide the security to safeguard a user’s passwords as advertised,' claims ISE chief executive Stephen Bono of his company's new report, Under the Hood of Secrets Management. 'Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.'
ISE researchers concentrated their efforts on four of the most popular password management services around: 1Password, in both legacy and current forms, Dashlane, KeePass, and LastPass. In all cases, they claim, serious vulnerabilities were discovered - including, but not limited to, the ability to retrieve the master password needed to unlock the supposedly-protected database.
'Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks,' warns lead researcher Adrian Bednarek. 'Once they have your master password, it’s game over.'
'People believe using password managers makes their data safer and more secure on their computer,' adds ISE executive partner Ted Harrington. 'Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.'
The vulnerabilities in question only exist when the password managers are in the running-but-locked state - a typical use-case for a password manager, which is often set to start when the computer boots but remain locked via the master password until a secret is requested - meaning that the passwords are not at risk when at-rest without the program running. Accordingly, ISE's recommendations are simple: 'Users should not leave a password manager running in the background, even in a locked state, and terminate the process completely if they are using one of the affected password managers.'
The report's conclusion found that 1Password 7, the latest version of the popular 1Password software, leaked all records and the master password while in both the locked and unlocked states; the older 1Password 4 release only leaked the last-active record in the unlocked state and no records in the locked state but failed to protect the master password; Dashlane leaked all records in its unlocked and locked states but only an encrypted version of the master password in the unlocked state and no master password at all in the locked state; KeePass leaked passwords only upon user interaction, and did not leak the master password in either state; and LastPass also leaked passwords only following user interaction, but leaked the master password in both locked and unlocked states. All packages tested, meanwhile, were vulnerable to attack via keylogger malware which can capture the master password as it is entered and to clipboard sniffing attacks which can capture the retrieved password as it is passed to the target application.
'This paper is not meant to criticise specific password manager implementations; however, it is to establish a reasonable minimum baseline which all password managers should comply with,' ISE's report concludes. 'It is evident that attempts are made to scrub and sensitive memory in all password managers. However, each password manager fails in implementing proper secrets sanitization for various reasons.'
None of the named companies or projects had responded to the report at the time of writing.
March 25 2020 | 14:00