In an age of constant data breaches and hacking, many security experts encourage the use of online password managers. But as it turns out, the password managers themselves have vulnerabilities that can expose data on devices.

A disturbing report Tuesday from Independent Security Evaluators found that the leading online password managers — 1Password, Dashlane, KeePass and LastPass — all fail when it comes to securing passwords properly.

“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” ISE Chief Executive Officer Stephen Bono said. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”

The issues relate to how the password managers leave passwords exposed in a computer’s memory, including both the master password or individual credentials. In some cases, the master password could be found in plaintext in memory when the password manager was locked, and researchers could extract the master password using memory forensics. What this means is that hackers could also obtain passwords using the same method.

Amit Sethi, senior principal consultant at Synopsys Inc. told SiliconANGLE that the main risk is that somebody who gets access to a computer while the password manager is running but locked may be able to get access to the passwords.

“The first step is to upgrade your password manager to the latest available version,” Sethi advised. “Almost all of the password managers that were studied have newer versions available that may have addressed these weaknesses. Then, make sure that you are using a strong master password that would be difficult for others to guess or brute-force. If you want to be more careful, close your password manager completely whenever leave your computer unattended.”

Sethi added that the exploit needs to be kept in perspective because it requires physical access to a computer. “Compared to all the things that can go wrong when you use weak passwords or reuse passwords across websites, these issues are quite minor,” Sethi sai. “Do not let these weaknesses deter you from using a good password manager.”

Photo: subcircle/Flickr