A new study investigating the true security posture of password storage services has uncovered a swathe of vulnerabilities which can lead to the theft of valuable user credentials -- but this does not mean you should abandon your favorite password manager any time soon.
Independent Security Evaluators (ISE) published an assessment on Tuesday which documented the results of tests involving 1Password, Dashlane, KeePass and LastPass, all of which are popular password managers available today.
1Password4 for Windows version 188.8.131.526, 1Password7 for Windows 7.2.576, Dashlane for Windows v.6.1843.0, KeePass Password Safe v.2.40, and LastPass for Applications version 4.1.59 were tested.
The team said that each password management solution "failed to provide the security to safeguard a user's passwords as advertised" and "fundamental flaws" were found that "exposed the data they are designed to protect."
The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format.
"Users are led to believe the information is secure when the password manager is locked," ISE says. "Though, once the master password is available to the attacker, they can decrypt the password manager database -- the stored secrets, usernames, and passwords."
ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same.
The main findings based on each password management solution are below:
1Password4: ISE says "reasonable" protections are in place in unlocked states, but when there is a transition from an unlocked to a locked state, the master password reportedly remains in memory when unlocked -- despite some obfuscation -- and the software fails to scrub this master password sufficiently before the transition has finished.
However, when a user accesses different entries in the software, unencrypted passwords are cleared from memory before another is loaded.
"We also found a bug where, under certain user actions, the master password can be left in memory in cleartext even while locked," ISE says.
1Password7: The current release of the software, in the security researcher's opinion, is "less secure" than the legacy version. Rather than only keeping one entry at a time in memory, this version of 1Password decrypted all individual passwords in a database upon testing, and also did not scrub individual passwords, the master password, or the secret key used to derive the encryption key when moving from the unlocked state to locked.
"This renders the "lock" button ineffective; from the security standpoint, after unlocking and using 1Password7, the user must exit the software entirely in order to clear sensitive information from memory as locking should," the researchers added.
Jeffrey Goldberg, 1Password's "Chief Defender Against the Dark Arts," said:
"This is a well-known issue that's been publicly discussed many times before, but any plausible cure may be worse than the disease. Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly.
Long term, we may not need to make such a tradeoff. But given the tools and technologies at our disposal, we have had to make a decision as to how best to keep our users secure. I stand by our decision.
The realistic threat from this issue is limited. An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer."
Dashlane: In Dashlane's case, the researchers say that memory/string, GUI management, and workflows were implemented to reduce the risk of credentials extraction. Only one active entry was ever exposed in RAM, but ISE added that when entries are updated, Dashlane exposes "the entire database plaintext in memory and it remains there even after Dashlane is logged out of or locked."
A Dashlane spokesperson told ZDNet:
"It is indeed correct that if an attacker has full control of a device at the lowest operating systems level, they can read any and every information on the device. This is not the case just with Dashlane or with password managers, but of any software or in fact any device that stores digital information.
For that reason, it is generally well known in the world of cybersecurity that the above scenario is an extreme one, in the sense that no mechanism can protect the digital information on a device if that device is already entirely compromised."
KeePass: KeePass scrubs the master password from memory and is not recoverable. However, errors in workflows permitted the researchers from extracting credential entries which have been interacted with. In the case of Windows APIs, sometimes, various memory buffers which contain decrypted entries may not be scrubbed correctly.
KeePass told ZDNet that what the researchers found "is a well-known and documented limitation of the process memory protection."
The company's security guidelines say:
"For some operations, KeePass must make sensitive data available unencryptedly in the process memory. For example, in order to show a password in the standard list view control provided by Windows, KeePass must supply the cell content (the password) as unencrypted string (unless hiding using asterisks is enabled).
Operations that result in unencrypted data in the process memory include, but are not limited to: displaying data (not asterisks) in standard controls, searching data, replacing placeholders (during auto-type, drag&drop, copying to clipboard, ...), and importing/exporting (except KDBX).
Windows and .NET may make copies of the data (in the process memory) that cannot be erased by KeePass."
LastPass: LastPass obfuscates the master password while users are typing in the entry, and when the password manager enters an unlocked state, database entries are only decrypted into memory when there is user interaction. However, ISE reported that these entries persist in memory after the software enters a locked state. It was also possible for the researchers to extract the master password and interacted-with password entries due to a memory leak.
LastPass CTO Sandor Palfy said:
"This particular vulnerability, in LastPass for Applications, our legacy, local Windows Application (which accounts for less than .2 percent of all LastPass usage) was brought to our attention by researchers through our Bug Bounty Program.
In order to read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer. We have already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report.
To mitigate the risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind."
A patch resolving the issue has also been released.
"This paper is not meant to criticize specific password manager implementations; however, it is to establish a reasonable minimum baseline which all password managers should comply with," ISE says. "It is evident that attempts are made to scrub and sensitive memory in all password managers. However, each password manager fails in implementing proper secrets sanitization for various reasons."
Despite these problems, it is worth noting that in a world where brute-force attacks can be automated and are commonplace, a password manager is still a better alternative than using the same simple, easy-to-crack passwords across the board.
In terms of risk factors, you are more at risk of using simple passwords than a malicious program compromising a home PC with the sole purpose of scouring RAM for evidence of a password manager being in play.
While password manager software developers should be aware of these potential security risks, not everyone has considered the report with a friendly eye. According to Cyberscoop, ISE researcher Adrian Bednarek was removed from the bug bounty hunter platform Bugcrowd on the basis of "unauthorized disclosure" after revealing the LastPass bug to a reporter ahead of the report being published.