Posted on February 20, 2019 at 1:51 PM

Password Managers are Important But They too can Come Under Attack

Are you concerned that your Password Manager is not as safe as it should be? You should be because new research is showing that Password Managers are not always safe and secure.

New reports show that the software used to manage these passwords is not always safe and can be hacked. There are four widely used Password Managers that Windows 10 is vulnerable to, whereby the user’s credentials, inadvertently, leak to the computer’s memory.

The four particular Password Managers that have come under scrutiny include Password, Dashlane, KeePass, and LastPassFree at LastPass. If your computer is hacked, your data could be stolen when one of these Password Managers kicks in.

The Independent Security Evaluators in Baltimore, who ran the security tests and examined the Password Managers, were surprised to learn that these particular products did not always encrypt as they should, and did not always delete password data during the background processes.

This left data vulnerable and while it does not mean that data is always exposed, it could be vulnerable to hackers, especially if the particular Password Manager starts and hackers are at the ready. The ISE also found that these Password Managers had further vulnerabilities – the master password can be exposed.

What do The Independent Security Evaluators suggest

ISE has suggested that users of certain Password Managers always treat them as vulnerable. Having a Password Manager does not necessarily ensure security.

1Password7, as an example, decrypts individual passwords and stores them in the computer memory. It does this while the program is active but locked. In order to clear any data from the memory, the user must remember to exit the software thoroughly.

LastPass can also leak a user’s credentials once the application returns to ‘locked.’ Dashlane can expose an individual’s login credentials, depending on which password the user is looking to use.

ISE is not suggesting that computer panic and delete their Password Manager. They are asking various vendors of Password Manager programs to look at stronger protection for their clients. A user’s login password and credentials must be better managed as they are loaded on to the computer, especially when the product goes back to being in a locked state.

ISE has also noted that Password Managers are vital and definitely add security. They also encourage strong passwords as weak passwords are also more open to hacking. ISE is suggesting that users check their Password Manager and ensure they add value and security.

While some may find these words alarmist, others are saying the threat is not nearly as severe as it is made out to be. 1Password has come out saying that users of their Password Manager have to be tricked in a huge way before their Password Manager can be hacked.

Others, like LastPass, have said they have ensured new safeguards to ensure passwords cannot be stolen, via malware. KeePass has said these security issues brought up by ISE are not new.

It is understood that the various Password Managers have been looking at and fixing these security issues for a long time.