Password managers may leave your online crown jewels 'exposed in RAM' to malware – but hey, they're still better than the alternative
The alternative being memorizing a load of really long unique passphrases
Updated A bunch of infosec bods are taking some of the most popular password managers to task after an audit revealed some mildly annoying, non-world-ending security shortcomings.
Researchers at ISE declared on Tuesday that the likes of 1Password, KeePass, LastPass, and Dashline all have vulnerabilities that would potentially allow malicious software on a Windows machine to steal either the master password or individual passwords stored by the applications.
The problem here is mainly secure memory management. To some degree, every one of the four password managers left passwords – either the master password or individual credentials – accessible in memory. This would potentially allow malware on a system, particular malware with admin rights, to obtain those passwords.
And yeah, sure... we know. We get it. If spyware has infected your computer, you're pretty much screwed. The point here is to demonstrate that software nasties can potentially mine all your login details straight from your password manager in one go. Think of this as a heads up to developers of passphrase managers, and malware researchers.
For what it's worth, we reckon that if malware has taken hold of your PC it could probably impersonate your password manager, and snaffle your master passphrase that way, but on the other hand, why go to that trouble if the goodies are laying around in RAM?
So, what we're saying here is: this isn't anything to panic over right now – it's something the designers of password managers, at least, should now be aware of.
The team noted that the password managers are not vulnerable when they are not running, such as right after the system boots up, but rather are exposed after the user opens the manager and types in their master password. That means the passwords stored on disk are safe, at least.
Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authenticationREAD MORE
"All password managers we examined sufficiently secured user secrets while in a ‘not running’ state. That is, if a password database were to be extracted from disk and if a strong master password was used, then brute forcing of a password manager would be computationally prohibitive," Team ISE explained.
"Each password manager also attempted to scrub secrets from memory. But residual buffers remained that contained secrets, most likely due to memory leaks, lost memory references, or complex GUI frameworks which do not expose internal memory management mechanisms to sanitize secrets."
The password managers are not necessarily getting better in their newer editions, either. The ISE studied two versions of 1Password (18.104.22.1686 and 7.2.576) and found that the earlier build was in fact better at protecting passwords than the newer version. This is because the later build loaded all passwords into memory as plain text as soon as the master password was entered.
Some of the described flaws have already been fixed. A LastPass spokesperson told The Register it had sorted the memory disclosure issues described in its products, and that even when the flaw was present, a real-world exploit would require the attacker to have local access to the machine with admin clearance.
The report doesn't by any means suggest you should not be using a password manager. Even with the mild flaws ISE found, a password manager remains by far the best way to keep your login credentials secure, and experts routinely recommend them as a way to manage multiple unique and strong passphrases for your online accounts.
"First and foremost, password managers are a good thing," Team ISE noted. "All password managers we have examined add value to the security posture of secrets management."
See their afore-linked report for more dos and don'ts on staying safe. ®
Updated to add
1Password reckons the ability to snaffle passwords out of RAM is a well-known problem, and not much can be done to address the underlying cause.
"This is a well-known issue that's been publicly discussed many times before, but any plausible cure may be worse than the disease," said the password manager's Jeffrey Goldberg, a self-styled chief defender against the dark arts.
"Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly.
"Long term, we may not need to make such a tradeoff. But given the tools and technologies at our disposal, we have had to make a decision as to how best to keep our users secure. I stand by our decision. The realistic threat from this issue is limited. An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer."
Similarly, Keepass described the issue in a statement to The Reg as a "well-known and documented limitation of the process memory protection."