PASSWORD MANAGERS, they're secure right? Well not so much according to a report by the Independent Security Evaluators (ISE), which found master passwords to such tools stored as plain text in a PC's memory.
Using malware that targets PC RAM and some pretty standard memory forensics, hackers could theoretically extract a plain text master password, or individual credentials for tools such as 1Passworkd, LastPass and Dashlane on Windows 10 and then use it to breach the password managers.
Such a security breach would require spyware-grade malware to already be on a targeted PC and that malicious software would more than likely need system admin rights to get at the data stored in-memory. At that stage, there's an argument that a PC is already in a spot of bother and having access to a password manager isn't the major concern.
But ISE chief executive Stephen Bono still advised caution: "100 per cent of the products that ISE analyzed failed to provide the security to safeguard a user's passwords as advertised."
"Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns," he added.
And ISE lead researcher, Adrian Bednare painted a gloomy picture, noting that once the hackers get the master password "it's game over".
"Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks," Bednare said.
Should you be panicking? Probably not, as the report says that password managers are still better than regular ol' remember-the-password-in-your-head technique or reusing the same password for multiple services.
"First and foremost, password managers are a good thing," the report explained. "All password managers we have examined add value to the security posture of secrets management."
But the report is a kick in the backside for the providers of password managers, who'll want to have mitigation in place to prevent hackers from exploring such a vulnerability.
LastPass told SC Magazine that it already has a fix in place and downplayed the whole situation, noting "read the memory of an application, an attacker would need to have local access and admin privileges to the compromised computer".
We suspect that other password manager providers will quickly follow suit and patch or mitigate against the vulnerability. But the whole thing just shows how we're never as secure as we might think we are. µ
But it might never see the light of a PC bay
It's nothing we haven't seen before, but it's still the best iPhone yet
Firm gives scanner flaw the finger
Ermine is the same but stoat-ally different