The most widely used password managers sport fundamental vulnerabilities that could allow malware to steal the master password or other passwords stored by the software directly from the computer’s memory, researchers with Independent Security Evaluators (ISE) have found.
They tested the 1Password, Dashlane, KeePass and LastPass password manager applications for Windows, which are collectively used by 60 million users and 93,000 businesses worldwide.
They reverse engineered each software package to evaluate its handling of secrets in its various states: not running, running and unlocked, running and locked.
“We expected and found that all password managers reviewed sufficiently protect the master password and individual passwords while they are not running,” they noted. “We expected and found that all password managers reviewed sufficiently protect the master password and individual passwords while they are notrunning.”
But they found that standard memory forensics can be used to extract the master password and other passwords/secrets these applications are supposed to guard when in the “running and locked” state.
“Keylogging and Clipboard sniffing are known risks and only included for user awareness, that no matter how closely a password manager may adhere to our proposed ‘Security Guarantees’, victims of keylogging or clipboard sniffing malware/methods have no protection,” the researchers noted.
“However, significant violations of our proposed security guarantees are highlighted in red. In an unlocked state, all or a majority of secret records should not be extracted into memory. Only a single one, being actively viewed, should be extracted. Also, in an unlocked state, the master password should not be present in either an encrypted or obfuscated form.”
Unfortunately, all the tested managers failed in at least one aspect of the protection they should provide.
The researchers urge the developers of password managers to sanitize secrets when a password manager is placed into a locked state, but also to employ methods to thwart software based keyloggers and prevent secrets exposure in an unlocked state, to employ trivial malware and runtime process modification detection mechanisms, and more.
Users are not advised to stop using password managers, but to shut them down completely when not in use and to use full disk encryption to prevent the possibility of secrets extraction in the event of crash logs and associated memory dumps.
Comments from the software developers
LastPass CTO Sandor Palfy says they’ve already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in the report.
“To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind,” he told Help Net Security.
Jeffrey Goldberg, 1Password‘s Chief Defender Against the Dark Arts, says that the issues reported by the researcher are well known, but that any plausible cure may be worse than the disease.
“Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly. Long term, we may not need to make such a tradeoff. But given the tools and technologies at our disposal, we have had to make a decision as to how best to keep our users secure. I stand by our decision,” he noted.
He also pointed out that the realistic threat from this issue is limited. “An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer.”
Dashlane CEO Emmanuel Schalit pointed out that in the scenario discussed an attacker has total control of a user’s device, which meas that he can read any and every information on the device.
“In such a case, the attacker can also see everything that is typed by the user including passwords and credit card numbers, any information being exchanged by the device over the internet even if it is sent over https, any information the device is able to capture (audio, video, etc.) through the hardware attached to it, regardless of whether the user employs a password manager or not,” he explained.
“For that reason, it is generally well known in the world of cybersecurity that the above scenario is an extreme one, in the sense that no mechanism can protect the digital information on a device if that device is already entirely compromised. Please note that this does not apply to the data Dashlane stores on your device. The data stored by Dashlane on the device (i.e. on the hard drive) is encrypted and cannot be read by an attacker even if the attacker has full control of the device. This only applies to the data present in the memory of the device when Dashlane is being used by a user who has typed the Master Password.”
No solution is 100 percent perfect and users should not stop using password managers as they protect against the most common threat (reusing of potentially compromised passwords). In comparison, an attacker being able to specifically take control of the device of a single user is a much less likely threat, Schalit noted.
“At the end of the day the only real protection against a scenario where an attacker has fully compromised a device is to not use that device. It is for that reason that most (if not all) reputable security experts recommend the use of password managers, while they are fully aware of the above scenario,” he concluded.