Security of password manager tools questioned

Some of the most popular tools, including 1Password, have ‘fundamental’ security flaws.
21 February 2019

Apple, Google, Microsoft is forging a passwordless future together.

The number of passwords we use daily is proliferating at a rapid speed; as more of elements of business and personal life go online, it’s estimated that by 2020, the average internet user could have 207 separate logins.

For those who (wisely) don’t want to use the same password for everything, password managers have represented a secure repository for this multitude of private information.

But a recent report has questioned just how secure these tools are.

According to a report by Independent Security Evaluators (ISE), each password management solution it evaluated “failed to provide the security to safeguard a user’s passwords as advertised”.

ISE tested 1Password4 for Windows version, 1Password7 for Windows 7.2.576, Dashlane for Windows v.6.1843.0, KeePass Password Safe v.2.40, and LastPass for Applications version 4.1.59— all of which contained fundamental flaws which exposed the data they are designed to protect.

These password managers were found to not employ basic security practices, such as scrubbing secrets from memory when they are not in use, or sanitizing memory once a password manager was logged out and placed into a locked state.

As a result, a user’s entire password database could be accessed if malicious actors breached the system.

“Trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state,” ISE stated.

According to the report, LastPass has 16.5 million private users and 43,000 business entities utilizing its tool. 1Password, meanwhile, can claim use by 15 million private users and 30,000 businesses.

But let’s be clear, password managers are a good thing, and it’s still better having one than not having one at all. As Troy Hunt, a web security expert and researcher said, “Password managers don’t need to be perfect, they just need to be better than not using them which they unequivocally still are.”

But, since users’ credentials are centrally stored and managed, typically protected by a single master password to unlock a password manager data store, they represent a logical first target for adversarial activity.

The report states that with the proliferation of online services, password use has gone from about 25 passwords per user in 2007 to 130 in 2015 and is projected to grow to 207 in 2020.

Ultimately, the report concludes that most password managers that were examined sufficiently secured user secrets while in a non-running state. This means that if a password database were extracted from disk and if a strong master password was used, brute forcing of a password manager would be ‘computationally prohibitive’.

“Each password manager also attempted to scrub secrets from memory […] but residual buffers remained that contained secrets, most likely due to memory leaks, lost memory references, or complex GUI frameworks which do not expose internal memory management mechanisms to sanitize secrets,” it states.

The paper does explain that the team’s intention is not to criticize specific password manager implementations, but to establish a reasonable minimum baseline which all password managers should comply with.

“It is evident that attempts are made to scrub sensitive memory in all password managers […] however, each password manager fails in implementing proper secrets sanitization for various reasons,” the team said.

‘Key logging’ and ‘clipboard sniffing’ are popular malware-driven methods and the team at ISE concedes that most victims will have no protection even if these password managers adhere to the team’s proposed ‘Security Guarantees’.

The team recommends that the most urgent item is to sanitize secrets when a password manager is placed into a locked state.

Users are also advised to employ hardware-based features, malware detection systems, keep their OS updated, utilize ‘Secure Desktop’ features from password managers and, of course, invest in robust anti-virus solutions.

Amit Sethi, senior principal consultant at Synopsys, told us that the main risk is that somebody gets access to one’s computer while the password manager is running in a locked state.

“The first step is to upgrade your password manager to the latest available version […] then, make sure that you are using a strong master password that would be difficult for others to guess or brute-force,” he added.

As an extra precaution, Sethi added, users can close their password manager completely when they leave their computer unattended. Disk encryption should also be enabled on the computer and shutting down the computer or placing it in hibernation mode when unattended is also good practice.

“We live in a world where the need for passwords can be in the hundreds for the average user,” commented Gavin Millard, VP of Intelligence at Tenable.

If an individual relies on just one or two that are reused across multiple accounts, the likelihood of one being discovered in a data-dump on the dark web is more likely than the scenarios described in this paper being achieved by a threat actor.”