Password managers are not as secure as they claim

password-manager-relaunch_2018

Online connections have become more and more numerous since the 2010s, especially with the advent of social media. Many online services encourage users not to use the same password everywhere.

This is where password managers come in to help users keep all the passwords they have centrally with a security layer (add metadata and many more).

How to use a password manager?

Password managers allow the storage and retrieval of confidential information from an encrypted database.

Users trust them to offer better security guarantees against leaks insignificant compared to other means of storing passwords, such as insecure text files.

In other words, password managers can keep all your passwords used on the Internet in one place, so they are very useful.

Not everything is as they paint it

That being said, a group of independent security testers, ISE reported this week that some of the most popular password managers have some vulnerabilities that could be exploited to steal identity information from users, assuming they have not yet been exploited by third parties.

In the report presented by the group, described the security guarantees that password managers should offer and examined the underlying operation of five popular password managers.

Not even free software is exempt

These are the password managers 1Password, Keepass, Dashlane, and LastPass. All of these password managers listed below work the same way, they say.

Users enter or generate passwords in the software and add relevant metadata (for example, answers to security questions and the site for which the password is designed).

This information is encrypted and then decrypted only when it is necessary for the screen to transmit it to a browser plug-in that fills in the password on a website or copies it to the clipboard for use.

For each of these administrators, the group defines three states of existence: not running, unlocked, and locked.

In the first state, the password manager must ensure encryption so that as long as the user does not use a trivial password, an attacker cannot suddenly guess the master password in a password.

In the second state, it should not be possible to extract the master password from memory directly or in any other way to recover the original master password.

And in the third state, all the security guarantees of a non-active password manager must be applied to a password manager in a locked state.

In their analysis, the testers claim to have examined the algorithm used by each password manager to convert the master password to an encryption key and that the algorithm lacks the complexity to withstand today's cracking attacks.

On the analysis of security administrators

In the case of 1Password 4 (version 4.6.2.628), its operational security assessment found reasonable protections against exposure of individual passwords in the unlocked state.

Unfortunately, this was bypassed by its handling of the master password and various broken implementation details when going from the unlocked state to the locked state. The master password remains in memory.

Therefore, 1Password master password can be retrieved as it is not erased from memory after putting the password manager in a locked state.

Taking 1Password (version 7.2.576), What surprised them is that they found that it is less secure to run than 1Password in its previous version than 1Password 7 as it has cracked all individual passwords in the database test the data as soon as it is unlocked and cached, unlike 1Password 4 which has only stored one entry at a time.

In addition, found that 1Password 7 does not clear individual passwords, neither the master password, nor the secret memory key when going from the unlocked state to the locked state.

Then, in the Dashlane assessment, the processes indicated that the focus was on hiding secrets in memory to reduce the risks of extraction.

Additionally, the use of GUI and memory frames that prevented the transmission of secrets to various operating system APIs was unique to Dashlane and could expose them to eavesdropping by malware.

Linux is not the exception either

Unlike other password managers, KeePass it is an open source project. Similar to 1Password 4, KeePass decrypts entries as they interact.

However, they all remain in memory because they are not individually erased after each interaction. The master password is erased from memory and cannot be retrieved.

However, while KeePass tries to secure secrets by erasing them from memory, there are obviously some bugs in these workflows, because we found, they say, that even in a locked state, we could extract the inputs that it had interacted with.

Intercepted entries remain in memory even after KeePass has been placed in a locked state.

Finally, as in 1Password 4, LastPass hides the master password when it is entered in the unlock field.

Once the decryption key is derived from the master password, the master password is replaced by the phrase "lastpass".

Source: security evaluators


5 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   anonymous said

    Passwords should not be kept in any other place than a notebook written with a ballpoint pen ... the rest is like the story of the uncle.

  2.   Paco said

    totally agree, as the notebook there is nothing since it is a bit difficult for hackers
    enter your house to steal your notebook

  3.   luix said

    What would be the safest administrator?

  4.   weed hat said

    Total exaggeration, it is obvious that a password manager is not 100% secure, because nothing is 100% secure gentlemen… Even so, it will always be safer to use a password manager than not to use it. Pencil and paper? Absurd unless you only have 3 or 4 passwords, but for people like me who have 50, 100 or more different accounts in different places it doesn't make the slightest sense, to that we must add that if you lose the paper or the pendrive, tell them goodbye to your digital life. In 2019 it does not make the slightest sense to save your passwords elsewhere than in the cloud, all properly encrypted. Lastpass is the safest thing to use today, whoever claims otherwise does not know what they are talking about, they are simply an average user. Greetings.

  5.   martin said

    I use https://bitwarden.com/ What does the report of this password manager say?