1Password, Dashlane, KeePass and LastPass each downplay what researchers say is a flaw in how the utilities manage memory.
Secure password firms 1Password, Dashlane, KeePass and LastPass are blasting a research report that highlights how a local adversary can crack open and steal passwords stored by the utilities.
The uproar began Tuesday when lead researcher, Adrian Bednarek with Independent Security Evaluators (ISE), published findings that demonstrated how someone could pluck clear text passwords associated with the utilities from the memory of Windows 10 systems.
“It is evident that attempts are made to scrub and sensitive memory in all password managers. However, each password manager fails in implementing proper secrets sanitization for various reasons,” Bednarek wrote in his research report.
The issue with the password managers (1Password, Dashlane, KeePass and LastPass) at the time of testing was that each of the utilities stored either the master password or individual credentials on insecure memory on the PC. This could allow a local adversary or a remote attacker, who compromised the system, to obtain passwords maintained by the utilities.
The one exception, researchers note, is when the password managers are not in use.
“All password managers we examined sufficiently secured user secrets while in a ‘not running’ state. That is, if a password database were to be extracted from disk and if a strong master password was used, then brute forcing of a password manager would be computationally prohibitive,” Team ISE explained.
For ISE, this was far from a deal breaker when it came to using the password management utilities. Instead, researchers encouraged people to use the password managers. But at the same time, they also advocated that password manager firms tighten up their application memory management.
“First and foremost, password managers are a good thing. All password managers we have examined add value to the security posture of secrets management,” researchers wrote.
The password manager firms, which are used by an estimated 60 million users and 93,000 businesses, each took issue with the study for different reasons.
Emmanuel Schalit, CEO of Dashlane, said the research was too narrowly focused on specific conditions that were “a very standard theoretical scenario in the world of security.” He continued; “This is not limited to Windows 10 but applies to any operating system and digital device connected to the internet.”
In a statement Schalit said:
“We respectfully disagree with the researcher’s claim that this can be truly fixed by Dashlane, or anyone for that matter. Once the operating system or device is compromised, an attacker will end up having access to anything on the device and there is no way to effectively prevent it. There are solutions that amount to ‘putting the information under the rug’ but any attacker sufficiently sophisticated enough to remotely take control of the user’s device would go around these solutions very easily.”