Severe Vulnerabilities Uncovered In Popular Password Managers

chiefcrash shares a report from ZDNet: Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers, including LastPass and KeePass. The team said that each password management solution "failed to provide the security to safeguard a user's passwords as advertised" and "fundamental flaws" were found that "exposed the data they are designed to protect."

The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format. ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same. The report has summarized the main findings based on each password management solution. Here's what ISE had to say about LastPass and KeePass -- two of the most popular password managers available:

"LastPass obfuscates the master password while users are typing in the entry, and when the password manager enters an unlocked state, database entries are only decrypted into memory when there is user interaction. However, ISE reported that these entries persist in memory after the software enters a locked state. It was also possible for the researchers to extract the master password and interacted-with password entries due to a memory leak."

"KeePass scrubs the master password from memory and is not recoverable. However, errors in workflows permitted the researchers from extracting credential entries which have been interacted with. In the case of Windows APIs, sometimes, various memory buffers which contain decrypted entries may not be scrubbed correctly."

Re:'severe'

[OffTheLip]

Users of this "vulnerability" are most likely state actors/law enforcement agencies, and 3 letter organizations. They have your computer, they need your password protected data.

Re:'severe'

[AmiMoJo]

Keepass is basically as good as it can ever possibly be. The "vulnerability" they found relates to the fact that when it displays entries on screen Windows will make copies of some of the data to create the GUI, and there is no effective way to scrub that.

Which is basically irrelevant because 99% of the time the user is going to use that information on the same machine anyway, i.e. they will copy/paste it into a browser or encryption app. So the attacker needs to have control of the machine in order to read process memory, and even if somehow Keepass blocked them they could likely just recover it from keystrokes, the clipboard or the app it's being used it.

The main risk is that the app crashes and the secret data can be recovered from the crash dump, but Keepass prevents that happening. Unfortunately they don't seem to have tested that attack.

Re:Use The Best Password

[kbg]

That's amazing! I've got the same combination on my luggage!

Re:Other ways to display data

[drakaan]

Well, yes, but since you're most likely going to be doing a copy/paste out of the field with the password in it, that vulnerability is going to be eclipsed by the vulnerability of being able to grab what's in the clipboard. KeePass already doesn't show you the password by default when you open an entry. You have to click the little "show password" button. They could have easily made the password display as a bitmap image instead of text, but I'm assuming they didn't for the same reason I just mentioned. I mean, you can make it not ever display text, but instead read the password aloud, but each of the mitigations mentioned are just going to make people not use that password manager because it becomes inconvenient. Ultimately, if you don't just have all of your passwords memorized, you are vulnerable to some sort of attack that doesn't involve the wrench technique.