A new report by independent security consulting firm ISE has revealed vulnerabilities in popular password management tools such as LastPass, KeePass, 1Password, and Dashlane. All four applications were found to leave passwords unencrypted in memory, some even when supposedly locked.
With so many passwords to remember, people struggle to come up with hard-to-guess ones that they can readily remember. Too often, people end up settling on a password they think will be hard for someone to crack and then use that one password across multiple sites. Other people save the different passwords they use in a text file on their computer’s desktop, or they carry a slip of paper with their various passwords on it in their wallet or purse.
None of these solutions is good. If you use the same password on multiple sites, a hacker needs to figure out only that one secret, and he will then be able to log into all your accounts. If someone gains direct or remote access to your computer, they’ll be able to open that unencrypted text file on your machine and see all the passwords you use. And, of course, if someone steals your wallet, you’ll have all sorts of problems, including losing that folded sheet of paper with your passwords on it.
Password Managers offer an alternative. For each site for which you need a password, a password manager generates a long, random, complicated string and stores it encrypted in its online vault. When you need to log into a site, you supply your master password to the password manager, and it sends you the password for that site. So, you end up having to remember just one password – the one for the password manager – to access as many passwords as you need. Since the passwords are stored remotely and encrypted, you can access them securely from any device, and hackers won’t be able to nab them.
The vulnerabilities ISE has uncovered relate to how applications and operating systems communicate with each other. When you type your master password into a password manager, it has to be stored momentarily in memory, then encrypted, and then sent through the network socket to the password manager’s servers. At the hardware level, storing something in memory amounts to changing the voltages on a bank of transistors. Think of this as connecting or disconnecting batteries in an electrical circuit to light up or turn off individual bulbs in a light fixture. If those “batteries” aren’t randomly disconnected or reconnected after you’ve used your master password, then the pattern persists, meaning your master password remains in memory. Removing data from memory once it is no longer needed is called scrubbing.
The same idea applies to the password the password management server returns back to you for the website you’re trying to access. That password will remain in memory after you use it if steps aren’t taken to scrub it. A hacker can use a tool such as WinDbg on Windows or a number of tools on Linux to see the current contents of memory, including your master or retrieved passwords.
Some of the vulnerabilities ISE has uncovered can be fixed by the password managers’ creators. In some cases, they can do a better job making sure that user-entered master passwords and retrieved site passwords are removed from the application’s memory space immediately after they are used and, at the very least, when the user locks the password manager.
Other bugs, however, are not within the vendors’ ability to fix. Instead, they involve the operating system itself. When Windows displays text in a text box, for example, that data is stored unencrypted in memory so that it can be displayed intelligibly. If Windows itself doesn’t clear that memory after the dialog is closed, then the unencrypted value will remain in memory. That behavior is something that affects every single Windows application, and so fixing it without introducing bugs in current software could be quite tricky for Microsoft. And, of course, if the user forgets to close the window housing the password text box, the operating system would not know when to scrub the memory associated with it. There is no fix for that.
Still, ISE’s findings should not seriously alarm users of password managers. To exploit these bugs, a hacker has to have administrative access to your machine. Unless you are using an old operating system, a hacker will be able to scan \the memory of your machine only if he has administrator privileges to it. Of course, he may have perpetrated some other attack that has escalated his privileges to administrator level, and then he’d be able to do what the ISE report suggests. So, ISE’s report is not just of theoretical interest. Still, provided you keep your machine’s applications and operating system patched, you don’t click on links in phishing emails, and you don’t visit sites that have a reputation for distributing malware, it will be difficult for a hacker to gain such access.
With that said, however, I have to admit I am not a fan of password managers. They violate the trust no one security rule. “Trust no one” means just that. Don’t entrust private data and credentials to anyone, not even a “trusted” third-party provide like a password management firm. Of course, it is difficult to live by this uncompromisingly, because it makes many things we do online inconvenient or impossible. Obviously, using the Cloud to store data violates this maxim big-time. But, when possible, avoid handing the keys to your valuables to anyone – or anything – else.
Instead, I recommend devising a clever way to generate a unique password for every site you use: a procedure that only you know. Come up with a set of simple steps that you can do in your head to customize a password for each site you visit. Figure out what mental manipulations you can do easily that will enable you to generate a password on the fly that is unique to every site, and use those steps to generate and recall your passwords for every site you use. The steps can be simple as long as they result in a unique password for every site.
Because the rules can be anything you dream up and will probably include features related to data only you know, the passwords you create through such a process will be known only to you. It will be your own unique password generator whose only electronic footprint will be the firing of synapses in your brain. Until the tech exists for capturing and translating your brain waves, you’ll have a secure password solution, and you won’t have to trust anyone else to provide it.
The newly disclosed vulnerabilities in password management tools result from the way applications and operating systems use memory to communicate data. Some of them can be fixed by the password management vendors, and some of them can’t. The vulnerabilities aren’t as concerning as they appear on first look. Still, you can keep yourself safer by being your own unique password generator and trusting no one to do that for you.