SECURITY
SECURITY
SECURITY
Flaws in leading password managers can expose data
In an age of constant data breaches and hacking, many security experts encourage the use of online password managers. But as it turns out, the password managers themselves have vulnerabilities that can expose data on devices.
A disturbing report Tuesday from Independent Security Evaluators found that the leading online password managers — 1Password, Dashlane, KeePass and LastPass — all fail when it comes to securing passwords properly.
“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” ISE Chief Executive Officer Stephen Bono said. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
The issues relate to how the password managers leave passwords exposed in a computer’s memory, including both the master password or individual credentials. In some cases, the master password could be found in plaintext in memory when the password manager was locked, and researchers could extract the master password using memory forensics. What this means is that hackers could also obtain passwords using the same method.
Amit Sethi, senior principal consultant at Synopsys Inc. told SiliconANGLE that the main risk is that somebody who gets access to a computer while the password manager is running but locked may be able to get access to the passwords.
“The first step is to upgrade your password manager to the latest available version,” Sethi advised. “Almost all of the password managers that were studied have newer versions available that may have addressed these weaknesses. Then, make sure that you are using a strong master password that would be difficult for others to guess or brute-force. If you want to be more careful, close your password manager completely whenever leave your computer unattended.”
Sethi added that the exploit needs to be kept in perspective because it requires physical access to a computer. “Compared to all the things that can go wrong when you use weak passwords or reuse passwords across websites, these issues are quite minor,” Sethi sai. “Do not let these weaknesses deter you from using a good password manager.”
Photo: subcircle/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
