Warning over password managers that store passwords in plain text in memory

Passwords in password managers can be compromised using malware and memory forensics tools

Users of password managers have been warned that the tools, which are supposed to improve people's PC security, might contain flaws enabling passwords to be compromised.

That's according to a report by a group called Independent Security Evaluators (ISE), who claim that a number of widely used password managers store master passwords in plain text in PC memory.

ISE claims that using malware that targets RAM alongside some standard memory forensics, hackers could theoretically extract a plain-text master password, or individual credentials for tools such as 1Password, LastPass and Dashlane on Windows 10, and then use it to breach them.

"All password managers studied work in the same basic way. Users enter or generate passwords in the software and add any pertinent metadata (for example, answers to security questions, and the site the password goes to).

The master password remains in memory when unlocked (albeit in obfuscated form)

"This information is encrypted and then decrypted only when it is needed for display, for passing to a browser add-on that fills the password into a website, or for copying to the clipboard for use," explains the report.

The researchers ‘attacked' the software in both its running and non-running state, testing encryption modes and looking for weak links that could be cracked.

What it found with 1Password, is typical of some of the problems of the genre: "We assessed the security of 1Password while running and found reasonable protections against exposure of individual passwords in the unlocked state.

"Unfortunately, this was overshadowed by its handling of the master password and several broken implementation details when transitioning from the unlocked to the locked state.

"On the positive side, we found that as a user accesses different entries in 1Password, the software is careful to clear the previous unencrypted password from memory before loading another. This means that only one unencrypted password can be in memory at once.

"On the negative side, the master password remains in memory when unlocked (albeit in obfuscated form) and the software fails to scrub the obfuscated password memory region sufficiently when transitioning from the unlocked to the locked state. We also found a bug where, under certain user actions, the master password can be left in memory in clear text even while locked."

Even the best-known password manager, LastPass, was found to have flaws. "Once LastPass enters an unlocked state, database entries are decrypted into memory only upon user interaction. However, these entries persist in memory even after LastPass has been placed back into a locked state," the report notes.

Of all the password managers tested, the open-source KeePass application came away with fewest security question marks.

"One hundred per cent of the products that ISE analysed failed to provide the security to safeguard a user's passwords as advertised," claimed ISE CEO Stephen Bono.

He continued: "Although password managers provide some utility for storing login/passwords and limit password re-use, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns."

ISE lead researcher, Adrian Bednare added: "Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks."

LastPass told SC Magazine that it already has a fix in place and downplayed the threat, noting that to "read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer".