Apps leaving the master password exposed in memory

Feb 20, 2019 07:22 GMT  ·  By

Password managers have become nearly mandatory for heavy computer users who want to stay secure against the always-growing number of attacks, but recent research discovered a major vulnerability in four of the most popular such apps on Windows 10.

The Independent Security Evaluators (ISE) conducted a security audit of 1Password, Dashlane, KeePass, and LastPass on Windows 10, and the results are worrying, to say the least.

All of them keep the master password in plaintext in the PC memory, which means a hacker with access to the computer could easily read it and then get access to all the data stored in the password manager.

The master password is the key that is being used by password managers to guard the application, and users are required to provide it whenever they want to unlock it.

Don’t leave the apps in a locked state

Security researchers discovered that this master password remains in the memory of the device in plaintext as long as the password manager itself is in a locked state. This means the password manager has already been launched, unlocked, and then locked automatically for security reasons.

“Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard,” researchers explain.

What’s very important to know is that reading the master password from the PC’s memory requires access to the device, either physical or remote.

Also, the report emphasizes that despite the obvious security risk discovered here, password managers are still recommended because they add an extra layer of protection against the typical attacks that rely on weak passwords.

While developers are recommended to improve the way password managers sanitize memory, users should avoid keeping the password managers in a locked state on their device. In other words, launch it, get your password, and then close it until you need another password again. Of course, this isn’t the most convenient workaround, but at least it helps you stay protected until fixes are shipped.