SECURITY
SECURITY
SECURITY
Flaws in leading password managers can expose data
In an age of constant data breaches and hacking, many security experts encourage the use of online password managers. But as it turns out, the password managers themselves have vulnerabilities that can expose data on devices.
A disturbing report Tuesday from Independent Security Evaluators found that the leading online password managers — 1Password, Dashlane, KeePass and LastPass — all fail when it comes to securing passwords properly.
“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” ISE Chief Executive Officer Stephen Bono said. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
The issues relate to how the password managers leave passwords exposed in a computer’s memory, including both the master password or individual credentials. In some cases, the master password could be found in plaintext in memory when the password manager was locked, and researchers could extract the master password using memory forensics. What this means is that hackers could also obtain passwords using the same method.
Amit Sethi, senior principal consultant at Synopsys Inc. told SiliconANGLE that the main risk is that somebody who gets access to a computer while the password manager is running but locked may be able to get access to the passwords.
“The first step is to upgrade your password manager to the latest available version,” Sethi advised. “Almost all of the password managers that were studied have newer versions available that may have addressed these weaknesses. Then, make sure that you are using a strong master password that would be difficult for others to guess or brute-force. If you want to be more careful, close your password manager completely whenever leave your computer unattended.”
Sethi added that the exploit needs to be kept in perspective because it requires physical access to a computer. “Compared to all the things that can go wrong when you use weak passwords or reuse passwords across websites, these issues are quite minor,” Sethi sai. “Do not let these weaknesses deter you from using a good password manager.”
Photo: subcircle/Flickr
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
