Password managers are a useful way to keep your internet accounts safe. But the software that runs them isn't always perfect.
According to new research, four popular password managers for Windows 10 can actually leak your login credentials to the PC's memory. That's bad news in the event your computer has been secretly taken over by malware; a hacker could potentially snatch up the sensitive data when the password manager turns on.
The research, published on Tuesday, comes from Independent Security Evaluators (ISE), a Baltimore-based company that examined the security of four products including 1Password, Dashlane, KeePass, and LastPass . The company was surprised to find that the products didn't always encrypt and then delete password data in the PC's background processes. Even the master password, which can be used to unlock all your stored passwords.
For instance, 1
expose a login credential individually, depending on which password the user is seeking to access. Only when the user seeks to update a password will the Dashlane expose the entire database in plaintext. LastPass exhibits a similar problem, and can also reveal the credentials even after the application returns to a locked state.
ISE published the research to promote password manager vendors to better protect login credentials when they load over a PC, especially when the product Reverts back to a locked state.
"Given the huge user base of people already using password managers, these vulnerabilities will target hackers and steal data from these computers through malware attacks," said researcher Adrian Bednarek in a statement. 19659009] DashLane ISE ” border=”0″ class=”center” src=”https://assets.pcmag.com/media/images/633078-dashlane-ise.png?thumb=y&width=980&height=269″/>
But not everyone agrees about the severity of the threat. To pull off these attacks, the hacker has to trick you into installing some malware, which can open your PC to all kinds of mayhem — not just the password.
"1Password's security developer Jeffrey Goldberg told PCMag in an email. "No password manager (or anything else) can promise to run securely on a compromised computer."
1Password and KeePass also called PCMag that the security issues cited by ISE are nothing new and have been mentioned as known trade-offs with their products. For instance, with the Windows operating system, KeePass must encrypt some of the sensitive data in order to show you a password. "Goldberg said," Fixing this particular problem introduces new, greater security risks. 1Password would have to switch to a different, older programing language, which might prove to be less reliable in other ways, and leave users insecure, added.
LastPass, however, said it's new safeguards to stop potential password theft from malware. For instance, the company's Windows application will shut down and clear the system memory when the user logs out.
The research from ISE is a reminder to be aware of a password managers' limitations; applications not protect your login credentials in the event your pc has been infected with malware that has keylogging, screenshot grabbing, or text copying abilities.
To stay safe, ISE recommends you use reputable antivirus products, and shut down a password manager completely once you're done with it. This will ensure that your product is not credible. To avoid malware, refrain from downloading applications from unknown sources or from mysterious email attachments.