Severe Vulnerabilities Uncovered In Popular Password Managers

chiefcrash shares a report from ZDNet: Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers, including LastPass and KeePass. The team said that each password management solution "failed to provide the security to safeguard a user's passwords as advertised" and "fundamental flaws" were found that "exposed the data they are designed to protect."

The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format. ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same. The report has summarized the main findings based on each password management solution. Here's what ISE had to say about LastPass and KeePass -- two of the most popular password managers available:

"LastPass obfuscates the master password while users are typing in the entry, and when the password manager enters an unlocked state, database entries are only decrypted into memory when there is user interaction. However, ISE reported that these entries persist in memory after the software enters a locked state. It was also possible for the researchers to extract the master password and interacted-with password entries due to a memory leak."

"KeePass scrubs the master password from memory and is not recoverable. However, errors in workflows permitted the researchers from extracting credential entries which have been interacted with. In the case of Windows APIs, sometimes, various memory buffers which contain decrypted entries may not be scrubbed correctly."

I enjoy memorizing passwords.

Fuck lazy horse batteries.

2 Factor vaults

[JaredOfEuropa]

Are there any decent USB stick based password vaults? Something that stores credentials internally and manages decryption after entering the master password. You’d still need to take care that the master password or decrypted credentials don’t linger in memory, but I’d feel better having the master data offline instead of having everything floating around in the cloud.

Even better would be an unlock pin (or fingerprint) to be entered on the USB stick itself.

Re:2 Factor vaults

[grep+-v+'.*'+*]

Are there any decent USB stick based password vaults? Even better would be an unlock pin (or fingerprint) to be entered on the USB stick itself.

Great! Then all I'd need is your USB password stick and your finger. The rest of you and your computer can stay behind. I'd rather have the XKCD wrench, thank you.

Re:2 Factor vaults

Neither of those solutions are air gapped.

That is the problem with software based password managers. If you use them on a compromised system you give up all your passwords.

There aren't many clever solutions out there that is better than post-it next to the computer.
If you want to get fancy you can have a notebook with your passwords written in an obfuscated form without complete information to what they are for.

Re:2 Factor vaults

[plazman30]

I was thinking the same thing. You have hardware level access to a PC to the point where you can read RAM in order to get someone's master password from their password manager? Why would you bother? Just install a keylogger instead and you can have all sorts of fun.

Re: 2 Factor vaults

[JaredOfEuropa]

They can't get the code if you enter it on the USB device itself. But even if the PIN is entered in the browser plugin for the device, you'd still want a physical button on the stick for each password retrieval. In that case, even if they manage to get your PIN and compromise the browser plugin so they can issue password retrieval requests remotely, they still won't be able to push that button and approve such requests. They get a couple of passwords at best, not the whole file and the master key.

Re:2 Factor vaults

[ilsaloving]

Having it stored on USB wouldn't solve anything because the problems described in the article refer to passwords sitting in plain text in memory while the password manager process is running.

Running a password manager from a USB key wouldn't solve that. At least, not directly. Quitting the application and giving the OS time to overwrite the used memory with new data would be a workaround to the problem regardless of where your vault is physically stored.

The only way to mitigate the problem completely is to not use a vault at all, and instead rely on OTP (One Time Password) and RSA token devices. Yubikey for example, is an excellent option for such a thing, because it acts like a keyboard and inputs the token for you when hit the button.

But of course, then you get into the "something you have" realm of security risks. Nothing is perfect.

Re:2 Factor vaults

[Anubis+IV]

To be fair, there may be forensic value in what they’re doing, such as if the PC has been confiscated as evidence and the user won’t be returning to unlock it anytime soon. Being able to unlock the vault without the need for a keylogger could be a major victory in that situation.

Re:2 Factor vaults

[TVmisGuided]

KeePass on a USB stick, in conjunction with a YubiKey and HOTP configuration, gives you two of the three security factors in just two USB slots. An attacker would need the master password AND both devices to gain access to your password database, and they'd have to know how you have your YubiKey configured to generate HOTPs. A preset number of failed YubiKey triggering attempts, and the database is locked. And good luck guessing the hash that generates the HOTPs. Doubly so since YubiKey configurations can't be read from the device, only written to the device. (Disclaimer: I don't work for Yubico or sell their devices. I'm just a satisfied user who's rather low on the corporate ladder.)

IMO, for the average corporate-level user, it's as good as it's going to get unless you want to delve into the expensive world of biometric authentication to gain the third security factor. And that opens up an entirely new can of worms, which will follow Zymurgy's Law of Evolving Thermodynamics.

Just my 2p worth. Save up the change for a root beer or something.

Re:2 Factor vaults

[ctilsie242]

IronKeys used to have this feature, but not sure what has happened to them since they were bought out, or which models still have this around.

Re:2 Factor vaults

[93+Escort+Wagon]

I was thinking the same thing. You have hardware level access to a PC to the point where you can read RAM in order to get someone's master password from their password manager? Why would you bother? Just install a keylogger instead and you can have all sorts of fun.

I recall that, a few years ago, the encrypted OS X keychain was shown to have similar vulnerabilities as are being described here. Mac users who said more or less the same thing you did now were not always treated kindly on this forum.

To be fair, there are probably cases where this sort of vulnerability might turn out to be useful - nation-state level espionage for instance. Most of us probably don’t live or work in that realm, though.

Re: 2 Factor vaults

[houghi]

The keylogger potentially does not show any passwords.

Re:2 Factor vaults

[pnutjam]

This is exactly what Keepass is designed to support. There is a portable version you can keep on your usb stick.

Re:2 Factor vaults

[Anubis+IV]

The problem with your theory is that you need the user to unlock the keyvault.

While that's true for the sort of malware described in the summary, that's hardly the only way to approach the issue. After all, if the problem is that confidential data is being persisted in memory when it shouldn'tbe, there's nothing stopping a forensic investigator from dumping the contents of memory after the fact to exploit these weaknesses, hence my suggestion.

But I do agree that if you're installing malware on their system and expect them to use it again after you do, you'd be better off with a keylogger.

Re:2 Factor vaults

[DethLok]

Needs a mod for "terrifying"...

'severe'

[Njovich]

So security researchers are scraping the bottom of the barrel to such an extent that having access to program data when you have total control over a computers memory is a severe vulnerability now?

Re:'severe'

[OffTheLip]

Users of this "vulnerability" are most likely state actors/law enforcement agencies, and 3 letter organizations. They have your computer, they need your password protected data.

Re:'severe'

[flirek]

Main memory of today's computers cannot be considered "private" & "secure" enough as Intel IME and similar garbage can directly read from it. Assumption that you have total control of memory is false.

Re:'severe'

[AmiMoJo]

Keepass is basically as good as it can ever possibly be. The "vulnerability" they found relates to the fact that when it displays entries on screen Windows will make copies of some of the data to create the GUI, and there is no effective way to scrub that.

Which is basically irrelevant because 99% of the time the user is going to use that information on the same machine anyway, i.e. they will copy/paste it into a browser or encryption app. So the attacker needs to have control of the machine in order to read process memory, and even if somehow Keepass blocked them they could likely just recover it from keystrokes, the clipboard or the app it's being used it.

The main risk is that the app crashes and the secret data can be recovered from the crash dump, but Keepass prevents that happening. Unfortunately they don't seem to have tested that attack.

Re:'severe'

[GrandCow]

The weak link is always the human.

If you're determined enough as a 3-letter agency to get in, then you can also disappear the person. Beat them enough and they'll give up the password. That beating can be either physically beating, or mental by doing things to family, friends, bank accounts, etc.

Re:'severe'

[Jeppe+Salvesen]

Or whoever established a foothold on a computer and is looking to expand their territory. Let's say they got something running from a drive-by infection. They can now proceed to access social media, buy stuff with the owner's money using amazon 1-click and so forth. Maybe even find the owner's actual comments on Pornhub in order to make the extortion mails more believable. Industrial espionage. Basically, these vulnerabilities can result in monetary gain for the attacker so it'll attract some proper talent.

"Severe" is possibly overstating it, but we should't downplay this too much either.

Re:'severe'

[cjeze]

uh. it is absolutely not the bottom of the barrel. Most exploits works from inside the computer, if there are proven tools that can extract passwords and passphrases from memory it is just a matter of time before they can take over your whole life. If not fixed quickly exploits are going to pop up in the wild in 3..2..1..

Re:'severe'

[msauve]

Whoosh.

If a bad actor has control over a computer, they can simply use a keylogger. Way easier, and way less data to weed through.

WARNING! SECURITY ALERT! If someone has control of your computer, they have control of your computer.

Re:'severe'

[scdeimos]

Is it bottom of the barrel? I think it's healthy to stop and think about how password managers get used. If it makes you reconsider keeping your password manager open and unlocked all day every day, as opposed to only when you need it, this is a benefit. I'd never considered the implications of the Show/Hide Asterisks feature in KeePass, for example.

It's also important to remember: an attacker might have access to the memory of your computer, in which case you've lost the battle for your computer, but if they can also score all your usernames and passwords as well, that really does give them the keys to the kingdom.

Re:'severe'

[l0n3s0m3phr34k]

Yes, this is NOT a real vulnerability. Neither CVE or NIST shows anything for Keepass 2.41; until something shows up here it's "unsubstantiated" aka like a "unpublished peer review".

Re:'severe'

[Cmdln+Daco]

Translation: None of us should fret about this hyped up topic. Unless we are actors on the level where a government agency is going to come after us.

And no, few if any people on Slashdot meet that criterion. No matter how much we herp and derp about it.

Re:'severe'

Is it bottom of the barrel? I think it's healthy to stop and think about how password managers get used. ...
but if they can also score all your usernames and passwords as well, that really does give them the keys to the kingdom.

I'd say yes, at least with their keepass results, this is bottom of the barrel.

They say this is a vulnerability in keepass, yet the only place in ram they found plaintext keys was from the windows API.
That sounds to me like a windows problem and not a keepass problem.

All passwords are going to be used to authenticate to something. If you can only get at the plaintext key after it is handed off to that something, it does seem like a huge stretch to blame the password manager for it.

Or put another way, if you remove keepass 100% from the equation, these researchers could use the exact same exploit they did to get the password you typed into a windows dialog box right from the windows API that created that dialog.

If their exploit works when typing in a password you memorized in exactly the same way it works when getting the password from keepass, as the case seems to be, it simply can't be a keepass vulnerability.

Clearly the exploit being in Windows makes it a lot worse than if it was just in the client/program you are authenticating with. Windows API will be involved with all of the passwords you use, while the client software only for what it does.

IE if you can intercept a password sent to chrome/firefox, you can get all web passwords, but your SSH client may be secure. With the problem being the windows api, both of those are equally vulnerable.

But all of those cases are long after keepass did its job, so I don't see how this is the fault of keepass like they claim.

Also entering the password by hand into a dialog will cause it to be kept in the windows API ram just the same, and I don't see why this is a keepass fault like they claim, especially for all the situations where people don't use/have/know-of keepass and have never once used it!
Yet it is the same exploit.

Grandma runs a program and types "12345" - never once heard of keepass, just types it - and according to these researchers the very fact they can find "12345" in ram left behind by a windows dialog box is somehow the fault of keepass. Again, the fault of a program not used or involved in that example!

That's why this is bottom of the barrel.

Note I'm not saying such verification and testing shouldn't be done. It absolutely should be, over and over, by as many people as possible. We don't want to miss anything.
I just feel the results should be labeled as what they are.

Re:'severe'

[Njovich]

If you suspect the CIA/NSA is really after you I wouldn't recommend you to use Lastpass, or Windows. In fact your options are pretty limited and I would highly recommend to not get into that situation in the first place.

Re:'severe'

[AmiMoJo]

For most people the threat model they should be concerned with is password reuse and weak passwords. A password manager, even a flawed one, can fix both of those.

The convenience vs. security trade-off of not having to keep unlocking the password manager is worth it for most people, because the alternative is realistically going to be using "passw0rd" for everything. In fact I recommend people have their browser remember their passwords.

Re:'severe'

[drinkypoo]

That was a cool comment until the part where you hit submit before telling us which one it is.

Re:'severe'

Keepass has the feature he mentioned, called auto-type. You can initiate it either from KeePass, where it will minimize the keepass window and start typing in whatever window was underneath, or you can configure a global hotkey, which will make keepass run a search based on window title for the relevant password entry.

Re:'severe'

[Zehsi]

your assumption that every computer has intel cpu is also false.

Re:'severe'

[strikethree]

If you suspect the CIA/NSA is really after you I wouldn't recommend you to use Lastpass, or Windows.

Or any modern CPU. That "management" feature that you can't disable? Yeah, that is a back door. Even worse, I know for a fact the Intel CPUs were being built with 3G chipsets inside of them, so even being "offline" isn't good enough. The entire computing environment needs to be TEMPEST shielded, as in Enemy of the State.

I assume they have upgraded from 3G in their CPUs. You simply can not trust any modern technology if the CIA/NSA is after you.

It should also be noted that it is not technically difficult to build an EM sensor that can capture the weakest of EM radiations up to about 50 feet away. Without TEMPEST, they can read the data travelling on the CPU bus from 50 feet away.

Re:'severe'

[sexconker]

KeePass also has a feature that obfuscates autotyping. TCATO I believe, for two-channel auto type obfuscation.
It just doesn't type your password, it types characters, moves the cursor around, types others, pastes certain bits, etc.

It'll fool the common sniffer software, but anyone with a full dump (including what was copied and pasted pasted - most software keyloggers don't do that, and in-line hardware keyloggers can't do that) can of course replay it to get the password.

Not sure

[Artem+S.+Tashkinov]

If I understand these two "vulnerabilities" properly, they require a piece of software installed/running locally which will steal/grab these passwords from RAM. However no normal/legitimate software will ever steal your passwords or access the RAM regions of other applications, which means this software is in essence malware which means you're already completely fucked and this software may just steal your master passwords, retreive all files, etc. etc. etc.

Re:Not sure

[mentil]

This could be relevant to memory-access attacks, like escaping from VMs, Docker containers etc.
It seems unlikely a server would be running a password manager app though.

Re:Not sure

[Zocalo]

There are varying degrees of "completely fucked", but yes, if you are being successfully attacked using this method then you are already in a pretty bad place, although it's possible that a lucky attacker might obtain enough info to pivot the attack onto an entirely separate system you happen to have a password for. Going from one PC being compromised to your entire network being compromised is definitely a step up in the level of "completely fucked".

Of course, if the malware has already been able to intercept the master password to your password DB, then they'll likely have sent the DB file and the password back to a C&C server anyway, so it's very much game over at that point.

Re:Not sure

[Zocalo]

It seems unlikely a server would be running a password manager app though.

No, but it's much more likely that a compromised PC with a password manager installed might be used to remotely log into that server and provide the attacker with a means to obtain the server's password. This provides another avenue of attack to obtain a server password, albeit perhaps not the easiest one to get the same results, but the more attack vectors there are the more likely it is that one will succeed, and it only takes one...

Re:Not sure

[Sique]

It's not unlikely. Actually, it's quite often used.

Imagine an IT shop working remotely on diverse customer sites. There are dozens of technicians, and literally hundreds of passwords. One way to manage the password hell would be to assign a password safe to each customer, installed at the customer site on the server you use as central remote access. So your technician tasked with a job there would look up the password safe master key for that customer, and then remotely access the server there, to find the passwords necessary to access all the other systems your IT shop manages.

Re:Not sure

[Kokuyo]

I'd even go as far as to say that a relatively sophisticated keylogger is probably much easier to code and just as effective.

Re:Not sure

[drinkypoo]

This is why meltdown is important. There have historically been lots of ways to sneak code onto users' computers. We like to think protected memory will, uh, protect us. But since it won't, these things are important.

Rendering passwords without using the system font libraries (or GUI text widgets) solves the problem of being able to grab the data from the OS. There have long been password deobfuscation tools, my favorite used to be snadboy's revelation but I don't think that works any more. Helped me a lot back in the xp days, though. But being able to read another process' supposedly protected memory is a whole other level.

Use The Best Password

[mentil]

That's why I always use a yuge password: 1234abcd. It's a very good password. The best password, really.

Re:Use The Best Password

[kbg]

That's amazing! I've got the same combination on my luggage!

Re:Use The Best Password

[complete+loony]

Summer2017 was a good time for password cracking.

Re:Use The Best Password

[93+Escort+Wagon]

You should switch it to something like “hunter2”.

Re:passwords.txt

[Opportunist]

As long as the computer is off, it's also pretty secure in Lastpass and Keepass.

that's why I keep my passwords!

[danbuter]

That's why I keep my passwords on a sticky note on my monitor! Never trust the cloud!

Other ways to display data

[Comboman]

Keepass is basically as good as it can ever possibly be. The "vulnerability" they found relates to the fact that when it displays entries on screen Windows will make copies of some of the data to create the GUI, and there is no effective way to scrub that.

Are you kidding? That's easy, don't use system fonts to display the password on-screen. It takes a bit of effort to create letters from graphic elements like lines and semi-circles but it's much safer (/-\ = A, etc). You could even randomize the angles and lengths of the line segments slightly (like a captcha) to prevent automated pattern recognition.

Re:Other ways to display data

[drakaan]

Well, yes, but since you're most likely going to be doing a copy/paste out of the field with the password in it, that vulnerability is going to be eclipsed by the vulnerability of being able to grab what's in the clipboard. KeePass already doesn't show you the password by default when you open an entry. You have to click the little "show password" button. They could have easily made the password display as a bitmap image instead of text, but I'm assuming they didn't for the same reason I just mentioned. I mean, you can make it not ever display text, but instead read the password aloud, but each of the mitigations mentioned are just going to make people not use that password manager because it becomes inconvenient. Ultimately, if you don't just have all of your passwords memorized, you are vulnerable to some sort of attack that doesn't involve the wrench technique.

Re:Other ways to display data

[93+Escort+Wagon]

Well, yes, but since you're most likely going to be doing a copy/paste out of the field with the password in it, that vulnerability is going to be eclipsed by the vulnerability of being able to grab what's in the clipboard.

By default, the Mac port “MacPass” removes a copied password from memory after a length of time (either 15 or 30 seconds, I believe). I assume they adopted this behavior from KeePass proper, but don’t know that first hand.

Re:Other ways to display data

[sexconker]

And the chunk of memory showing how to draw those things will possibly be copied out by Windows.

The OS has full control over memory. KeePass cannot fix this. There is nothing to fix. If your box is pwned you lose regardless.

But we are still safe on

[AHuxley]

Apple? Thats all good right? And Linux? All good?

Re:Are these really that severe?

[Smidge204]

While true, that also means that it would have to wait until you actually copy/type the password in order to steal it, and there is still the task of identifying the password out of all the other data you copy or words you type through out the day.

Or, since you have access to the RAM, just snag it from the password manager whenever the process appears. Then you get all the passwords at once, along with usernames or other important info, and you don't have to sift through junk data to find them.
=Smidge=

Still using pwsafe

[godrik]

Bruce Schneier, thank you for the fish!

Re:Keylogger would be easier

[bobbutts]

The user is usually copying and pasting in the case of using a password manager, so the keyboard buffer will not have what you are looking for.

Confusion in the comments

[FeelGood314]

There are two types of attacks against systems like this.
1 where the attacker modifies the system, hopes the victim doesn't notice and then steals information when the victim next uses the system
2 where the attacker steals the system and then tries to extract information

These attacks are against the latter, where I steal your laptop and then try and extract your passwords from the running machine. If your password manager is open and unlocked, then I can trivially get your passwords, but if the manager has been closed, then these attacks could reveal your passwords.

I once tried to bid on writing the standard for Canadian Interac point of sale devices. The spec at the time failed to make this distinction.

Re:I tried keepass once... for about 30 minutes...

[b0bby]

I have a couple of schemes which I use for a lot of my passwords, but there are enough unique ones that I find Keepass extremely useful. Not to mention that I keep note of a bunch of other data and my kids' passwords there too. Also my wife could use it if she needed to if I get hit by a bus.

I've helped a bunch of people set up Keepass, and I have never seen the data disappear. But if you don't need it, your way is probably better!

even Q-class answer to an ROI

[epine]

If you're determined enough as a 3-letter agency to get in, then you can also disappear the person.

Yes, of course. The good, old TLA infinite-budget porn.

Your position in the security food chain determines how much they are willing to spend. Even well-healed Q-class spooks answer to an ROI at scale.

Of course, part of the signal about your rung on the security food chain is determined by how effectively you armour yourself with effective prophylaxis.

This is why security culture can only work as a public good, wherein everyone on principle uses the highest caliber of security practical. When security is practiced exclusively on an as-needed basis, it only helps to paint a more accurate bull's eye on your backside.

All the TLAs must surely love the useful idiots who distract from the economic model that prevails here, by ranting at high pitch about naked capabilities, as there are no endemic constraints on their side of the fence.

Use pass

[allo]

The standard unix password manager is in many aspects more secure than the bloated ones: https://www.passwordstore.org/

- It is minimal. It is a short bash script, that you can read completely before using it.
- It uses standard tools like gpg for storage and pwgen for password generation
-It has a simple command line with some uncomplicated graphical frontends
- It does not leave anything in memory, as it terminates when it finished copying the password to your clipboard or writing it to the console (or in the pipe of some other program).