But is it that bad?
Leading password managers are rife with insecurities when it comes to memory management, failing to scrub data from local memory that could be used to expose their bank of user passwords, according to Baltimore-based security consultancy Independent Security Evaluators (ISE).
The company interrogated the security of of password managers 1Password, Dashlane, KeePass and LastPass, which between them have over 60 million private and business users, testing them when not running, running but locked, and actively running (on Windows 10, Version 1803 with an Intel i7-7700HQ processor).
When not running, all used strong encryption for their password databases – PBKDF2-SHA256 for LastPass and 1Password; Argo2 for Dashlane; AES-KDF for KeePass – i.e. brute forcing encrypted password entries on disk would be computationally prohibitive for most adversaries.
But when either running, or running but subsequently logged out or “locked” the majority had severe memory hygiene issues, including one (1Password) which had a bug where, under certain user actions, the master password can be left in memory in cleartext even while locked, ISE’s researchers found.
Password Manager Security: Why This Matters
The research is, on the face of it, likely to alarm a growing user base.
Password managers are widely recommended, including by the UK’s NCSC, as a better alternative to trying (and failing) to remember a growing array of complex passwords, or worse, recycling the same memorable password across multiple accounts.
As ISE notes, password use has gone from about 25 passwords per user in 2007 to 130 in 2015, and is projected to grow to 207 in 2020. As a result more and more users are expected to deploy password managers. Yet the research suggests that most fail to live up to commitments: 1Password came in for particular criticism.
No Intel SGX as Promised
The company claimed in 2017 to be set to feature Intel SGX technology within months. This technology protects secrets inside secure memory enclaves so that other processes and even higher privileged components (such as the kernel) cannot access them.
ISE said: “Were SGX to be implemented correctly, 1Password7 would have been the most secure password manager in our research by far. Unfortunately, SGX was only supported as a beta feature in 1Password6 and early versions of 1Password7, and was dropped for later versions. This was only evident from gathering the details about it on a 1Password support forum”.
The company added: “The memory “hygiene” of 1Password7 is so lacking, that it is possible for it to leak passwords from memory without an intentional attack at all. During our evaluation of 1Password7, we encountered a system stop error (kernel mode exception) on our Windows 10 workstation, from an unrelated hardware issue, that created a full memory debug dump to disk. While examining this memory dump file, we came across our secrets that 1Password7 held cleartext, in memory, in a locked state when the stop error occurred.”
1Password’s Jeffrey Goldberg (“our Chief Defender Against the Dark Arts”) told Computer Business Review in an emailed response: “This is a well-known issue that’s been publicly discussed many times before, but any plausible cure may be worse than the disease. Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly.”
“Long term, we may not need to make such a tradeoff. But given the tools and technologies at our disposal, we have had to make a decision as to how best to keep our users secure. I stand by our decision.”
He concluded: “The realistic threat from this issue is limited. An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer.”
ISE is vehement that its research exposes serious security issues: “100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” said ISE CEO Stephen Bono in a release.
“Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
LastPass Responds: This Was in Our Bounty Programme…
But a response from LastPass suggested that although a vulnerability had, indeed, been legitimately found, claims of fundamental flaws all round were somewhat hyperbolic. They said the bug raised by ISE for their provider applied to a tiny minority of use cases, had been identified through its bug bounty programme, and since fixed.
“This particular vulnerability, in LastPass for Applications, our legacy, local Windows Application (which accounts for less than .2% of all LastPass usage) was brought to our attention by researchers through our Bug Bounty Program” the company told Computer Business Review in an emailed statement.
The company added: “In order to read the memory of an application [the approach used], an attacker would need to have local access and admin privileges to the compromised computer. We have already implemented changes to LastPass for Applications designed to mitigate and minimize the risk of the potential attack detailed in this report. To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind.”
(For full details on the local memory issues of each password manager, see the research here. In brief, however, ISE says LastPass’s master password is leaked into a string buffer in memory and never scrubbed, even when LastPass is placed into a locked state; Dashlane briefly exposes the entire database plaintext in memory and it remains there even after Dashlane is logged out of; performing a simple strings dump from the process memory of KeePass reveals a list of entries that have been interacted with: a determined adversary can then search for a username to an entry and locate its corresponding password field entry, etc.)
Etienne Greeff, the CTO and founder of SecureData, which was recently bought by Orange, told Computer Business Review: “There are two conflicting themes coming out for me. First of all security tools do have the habit of increasing your attack surface by virtue of the fact that they are trusted. In this instance the password managers contains the keys to the kingdom for what continues to be a flawed way of authentication, our outdated and old friend passwords.”
“So local memory attacks seems plausible and indeed doable but certainly less likely than guessing a reused password which is one of the symptoms they are fixing.”
“[But] This is a case of the side affect being almost as bad as the symptom we are addressing. The thing is that if you crack the password manager you have got pay dirt. Will I continue to use LastPass… Hell yes. Should I use 2FA where possible. Yes. Do I always? Hell no… I guess there is a lesson in there somewhere.”
ISE concluded, meanwhile, given the issues, that end users should continue to employ security best practices to limit exposure to adversarial activity.
This includes basics like keeping the OS updated, using auto lock on their OS, but also selecting a strong password as the master password to thwart brute force possibilities on a compromised encrypted database file and using full disk encryption to prevent the possibility of secrets extraction in the event of crash logs and associated memory dumps which may include decrypted password manager data.