A new study performed by ISE and funded by the Washington Post has found that many of the top Windows 10 password managers are vulnerable to malicious attacks. Popular apps such as Dashlane, KeePass, LastPass, RoboForm and 1Password have all been found to have weaknesses. The study has found that these apps are at risk of exposing passwords even in a (supposedly) secure "locked" mode. If you are using a browser app for your password manager, hackers may also be able to claim the master password for your entire database!
Should I Stop Using My Password Manager?
Despite finding many issues within the security of the top password managers the study performed by ISE determined that using a password manager is still more secure than not. Users are only vulnerable to malicious attacks if they let their machine become infected with malware. The ethical hackers at ISE worked directly with the software and machines, such a direct attack is unlikely to happen on a large scale.
What the investigators looked at mostly was what state the passwords were kept in while the password managers were in different "modes". These modes consisted of "Not running", where the software had been installed and configured but not opened since the PC had been turned on, "Unlocked", where the master password has been used to decrypt and access the stored passwords, and "locked", where the password manager is open and running but the master password has not been entered.
ISE found that in 1Password version 4.6, the master password could be found in the raw data files and decrypted from there consequentially allowing access to all the passwords on the database. 1Password version 7.2 was even more susceptible to this kind of attack as it would show the master password in cleartext, meaning it could be understood before being deciphered. Dashlane (Version 6.18), KeePass (2.4) and LastPass (4.1) all had this issue of exposing master passwords in cleartext. If you use any of software mentioned in this blog, we recommend you check for updates as soon as possible.
Password managers are still significantly more secure than using the same password over and over. They will allow you to store and work with complex passwords that will never be guessed (so long as they have enough characters). But, as highlighted by this study, they are not entirely 100% secure so be sure to check for updates as these issues will (hopefully) be patched out soon by the developers.
If you would like to view the original study by ISE you can view it here: https://www.securityevaluators.com/casestudies/password-manager-hacking/
If you would like to talk to one of our specialists regarding IT and computer security give us a call on 01865988217
Enjoy the blog post? Then you would love our newsletter! Sign up here Signup and get a free Office 365 pitfall PDF guide
Call us on: 01865 988 217