Report: Most Password Managers Not Secure

John Lister's picture

Security researchers say some major password manager tools could be flawed. But they also say it's still sensible to use them, just with a degree of caution.

It's a fact that using the same password for multiple sites is a massive security risk. That's because if one site gets hacked, it could mean that hackers can use the same password on another website to gain access to potentially sensitive information, resulting in identity theft or financial loss.

Password manager tools (such as Roboform and Dashlane) aim to overcome two big dilemmas with online passwords - which is keeping passwords unique, and trying to remember them. Remembering unique passwords becomes incredibly difficult, especially considering most users use around 20 or more websites requiring credentials on a regular basis.

The most common setup for a password manager is to act like a vault that holds all the passwords. The vault is then password protected with a master password, which can be entered by the user or unlocked using biometrics (such as a finger print sensor). Typically, the software company that develops the password manager does not have access to the passwords themselves, and the passwords are usually stored in an encrypted form.

Windows Programs At Risk

An organization known as the Independent Security Evaluators examined several major password manager services to see they followed sensible security practices. They looked at standalone Windows apps, rather than the type of password manager that requires you to login to a website (such as Dashlane).

One thing they looked at was how the computer handled password data when the apps were locked: in other words, when the user wasn't actively retrieving a password to use on a site. They discovered that with four major password managers (including: 1Password, Dashlane, KeePass, and Last Pass), passwords were sometimes left in the computer's memory.

In two cases (including: 1Password and Last Pass), researchers discovered that the master password could be exposed. (Source: securityevaluators.com)

Each of the password manager companies have given a mixed response to the report, with some saying they will continue to look for ways to tighten up potential security issues. Other claim that the potential security breaches are simply a limitation due to the way that Windows works.

Password Managers Still Worth Using

It's not necessarily a major security disaster. For a hacker to take advantage of this flaw, they'd first need either remote or physical access to a computer.

Tech experts note it's an example of security being about degrees rather than absolutes. The Washington Post uses the analogy of a seatbelt not preventing all damage in auto accidents, but is still worth using. (Source: washingtonpost.com)

It does mean users of password managers should take three steps to boost their protection and mitigate against risks:

  • Close down password manager apps completely rather than leave them running, even in "locked" mode.
     
  • Continue to use adequate security software to protect a computer against remote hacking.
     
  • Consider not using the password manager for the most critical login details such as email accounts and online banking.
     
  • If in doubt, hire a professional to do a security audit of your system and/or setup your password management program properly. Dennis Faas can provide you with these services - contact link here.

What's Your Opinion?

Do you use a password manager? Does this news put you off using them? Does the public have a good understanding of levels of risk in computer security?

Rate this article: 
Average: 4.8 (6 votes)

Comments

alan.cameron_4852's picture

The problems reported are only exposed if you have already been infiltrated with some other sort of exposure.
Once you have been infiltrated all security is pointless.

DavidInMississippi's picture

Because of the massive security breaches perpetrated in the last decade, with millions and millions of user names and their data exposed, I have a difficult time trusting such online password managers as RoboForm and OnePass.

I am still using the password manager I began using before any of these became popular, KeePass. I don't like it a lot because it is not customizable (font size, etc.), but it uses 256-bit AES encryption, and will keep its data store wherever I want.

I DO like it a lot because it allows me to write as much in the COMMENTS field as I like, so for example, in the entry for my credit card (which I use to copy and paste the number when buying online), I can also put a list of the companies that automatically charge that card, so when I get a replacement card with a new number, I can easily see which businesses I need to log into and change the payment data.

ALSO, I keep the (encrypted) datastore file in a DropBox folder on my hard drive, and so I can get to my passwords wherever I am - desktop, laptop, tablet, or smartphone.

And finally, the price is right for this program - free.

Others may disagree, but this works for me.

cmdrbozo's picture

If you're concerned about the password manager site being hacked, you can add an addition layer of protection by simply adding the same few characters to each password

E.g. OmG[password1], OmG[password2]

Netpilot's picture

In your article, you state that "In three cases (including: 1Password, Last Pass and Roboform), researchers discovered that the master password could be exposed. (Source: securityevaluators.com)"

I read the article at securityevaluators.com and as you stated elsewhere in your article, 1Password, Dashlane, KeePass, and Last Pass were discussed.

Did you mean to include RoboForm in your article? It was not discussed at securityevaluators.com.

Dennis Faas's picture

The source for the info seems to have changed and this article has been updated.