There’s a report on ZDNet that flags the fact that several popular password managers apparently have flaws in them that can lead to password theft:
Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers, including LastPass and KeePass. The team said that each password management solution “failed to provide the security to safeguard a user’s passwords as advertised” and “fundamental flaws” were found that “exposed the data they are designed to protect.”
The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format. ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same.
This report only covers a handful of password managers. So if you use a password manager that is not listed here, you might want to reach out to the company that makes it to see where they stand on this issue. However, you should also consider the following. To exploit what’s written in this report, you have to have hardware level access to a PC to the point where you can read RAM in order to get someone’s master password from their password manager. Or put another way, you would have to have physical control of the computer in question. That’s way too much effort. It would be much more efficient to install a keylogger and capture everything. But maybe I’m looking at this wrong?
Related
This entry was posted on February 21, 2019 at 8:42 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
If You Use A Password Manager, It May Have Severe Vulnerabilities That Could Lead To Password Theft
There’s a report on ZDNet that flags the fact that several popular password managers apparently have flaws in them that can lead to password theft:
Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers, including LastPass and KeePass. The team said that each password management solution “failed to provide the security to safeguard a user’s passwords as advertised” and “fundamental flaws” were found that “exposed the data they are designed to protect.”
The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format. ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same.
This report only covers a handful of password managers. So if you use a password manager that is not listed here, you might want to reach out to the company that makes it to see where they stand on this issue. However, you should also consider the following. To exploit what’s written in this report, you have to have hardware level access to a PC to the point where you can read RAM in order to get someone’s master password from their password manager. Or put another way, you would have to have physical control of the computer in question. That’s way too much effort. It would be much more efficient to install a keylogger and capture everything. But maybe I’m looking at this wrong?
Share this:
Like this:
Related
This entry was posted on February 21, 2019 at 8:42 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.