Most popular password managers are flawed. This is according to a new report published yesterday that found people who used password managers are vulnerable to malware attacks. The audit, done by Independent Security Evaluators, revealed that the Windows 10 apps of LastPass, RoboForm, 1Password, KeePass and Dashlane had security flaws that put users in harm’s way. (Mac and mobile users can also be affected)
What’s the flaw?
The password managers had vulnerabilities that left passwords exposed in your computer’s memory and this includes your master password or individual credentials stored by the password managers – all because of a broken locked mode these apps have. This makes it easier for hackers to get your entire login credentials right from your computer’s RAM.
This flaw is caused by insecure memory management and only works after a user opens their password manager and logs in with their master password. The password managers try to erase the passwords from memory but residual buffers still hold on to them caused mostly by memory leaks, lost memory references and complex graphic user interface frameworks that didn’t expose internal memory management mechanisms to clean up the passwords.
You are safe as long as the app is not running since passwords stored in your disk are at least safe.
No need to panic, yet?
Some password managers have already fixed this flaw such as LastPass and RoboForm are working to issue updates later this week. Dashlane is also working on fixing despite having higher priority security concerns.
However, KeePass and 1Password blatantly disregarded this issue citing it as an accepted risk and a known limitation with Windows.
Also worth noting is that the latest version of 1Password is more vulnerable to this type of attack as the new version isn’t better at protecting your password since it loads all your passwords to the computer’s memory in plain text format when you typed in your master password.
This is a wakeup call to switch up your password manager to one that takes user’s security seriously.
At the moment, there has been no evidence that hackers have started targeting users but we don’t know for sure, how long this will last.
Here’s why you shouldn’t stay up all night worried.
For this vulnerability to be taken advantage of, a hacker would have to be physically at your computer or deceive you to install malware that takes over your computer. Also, hackers often go after mass attacks rather than target individual users unless you have more value. People with low regard for their securities such as reusing the same password for multiple sites are the most at risk as hackers refer to them as the low hanging fruits.
Should you still continue using password managers?
It’s a good thing that this flaw was discovered early on before targeted attacks by hackers began since password managers have been put on task to further strengthen their security.
Our devices are our weakest link between us and hackers, neither a password manager nor any software will help you once they become compromised. You just need to be better at protecting yourself by practising strong security measures to make yourself less prone to these attacks.
Yes, you should still continue using password managers especially ones that take this task seriously. It’s risky putting all your credential in one place but this is better than having to reuse them on sites you frequently visit just for the convenience or completely going off-grid, which is impossible for some of us.
Password manager companies encrypt your data and don’t store your master password at their servers so even in an event of a breach; hackers will only get access to mumbo-jumbo of data. You’ll have to be picky when choosing a password manager and choose a UNIQUE master password.
The major take away from this is that being safe online is not about being unhackable, it’s that don’t be the low hanging fruit that hackers often target.
Beyond storing your passwords, these password manager apps go through your passwords to see which ones are secure and which ones are not and alert you on ones that have already been leaked or reused.
Another extra step to be secure online is setting up 2-factor authentication, popularly known as 2FA, especially on sites that give you that option.