Password managers aren't perfect, but they're better than nothing

Shawn Knight

Posts: 15,240   +192
Staff member
Why it matters: Password managers may be flawed but the benefits seemingly outweigh the shortcomings. Aside from assisting in categorizing credentials, they help users avoid bad password practices such as password reuse and weak password selection.

As security researcher Troy Hunt once wrote, “Password managers don’t have to be perfect, they just have to be better than not having one.” According to a recently published report from Independent Security Evaluators (ISE), they’ve more or less accomplished that goal.

ISE put five popular password managers to the test – 1Password4 for Windows version 4.6.2.626, 1Password7 for Windows version 7.2.576, Dashlane for Windows version 6.1843.0, KeePass Password Safe version 2.40 and LastPass for Applications version 4.1.59 – to see just how secure they are.

The researchers found that in every case, trivial secret extraction was possible from a locked password manager. In some cases, they were even able to collect the master password.

With 1Password4, ISE found reasonable protections against exposure of individual passwords in the unlocked state. However, it is possible to recover and deobfuscate the master password due to the fact that it isn’t scrubbed from memory after placing the manager in a locked state.

Surprisingly enough, ISE said the current release, 1Password7, was less secure in the running state than the aforementioned legacy version. Unlike 1Password4 which kept only one entry at a time in memory, 1Password7 decrypted all individual passwords as soon as it was unlocked and cached them in memory. Worse yet, the manager doesn’t scrub individual passwords, the master password or the secret key from memory when transitioning from unlocked to locked state.

In testing Dashlane, ISE noted the use of memory / string and GUI management frameworks to prevent secrets from being passed to various OS APIs that could expose them to eavesdropping by malware. Dashlane also only exposes one active entry in memory at a time although unfortunately, “once a user updates any information in an entry, Dashlane exposes the entire database plaintext in memory and it remains there even after Dashlane is logged out of or ‘locked’.”

Like 1Password4, open-source KeePass decrypts entries as they are interacted with but critically, they all remain in memory as they aren’t individually scrubbed after said interaction. On the bright side, ISE found that the master password is scrubbed from memory and thus, not recoverable.

LastPass is similar to 1Password4 in that it obfuscates the master password as it is being typed into the unlock field. Once the manager enters an unlocked state, database entries are decrypted into memory although only upon user interaction. Unfortunately, the entries linger in memory even after LastPass is put back into a locked state.

In conclusion, ISE notes that all password managers tested sufficiently secured secrets while in a “not running” state, meaning if someone gathered a database from a disk and if a strong master password was used, brute forcing would be computationally prohibitive. However, each also fails in implementing proper secrets sanitation for various reasons.

Lead image courtesy EtiAmmos via Shutterstock

Permalink to story.

 
“Password managers don’t have to be perfect, they just have to be better than not having one.”

That's not the most rousing vote of confidence I've ever heard for password managers. I mean you're required to have a password for every app I can think of. How can you "not" have one?
 
“Password managers don’t have to be perfect, they just have to be better than not having one.”

That's not the most rousing vote of confidence I've ever heard for password managers. I mean you're required to have a password for every app I can think of. How can you "not" have one?
Exactly that, if you don't have one it's already a bad scenario.

I wish the report doesn't sprawl a lot of attention from malicious actors...
 
I'd argue that while security is important, the detrimental effect it has on your own ability to remember your own passwords is worse. Essentially by removing the burden of having to remember passwords you've created a new issue in that your digital life is in complete control of a password manager and you can't do anything without it. Not flexing your ability to recall isn't a good thing either. Your brain needs to exercise just like your body.
 
I'd argue that while security is important, the detrimental effect it has on your own ability to remember your own passwords is worse. Essentially by removing the burden of having to remember passwords you've created a new issue in that your digital life is in complete control of a password manager and you can't do anything without it. Not flexing your ability to recall isn't a good thing either. Your brain needs to exercise just like your body.
I might be living in a different world, but I don't see myself remembering 10+ complex unique passwords, unless using one of the cliches from the internet (WhereThisIsMyPassword... WhrThssMPsswrd.[random number here]).

Having a system to remember means there is a chance that the system can be cracked, what happens when you need to change said passwords? And so forth. Technically speaking, the best password is the one you don't know.
 
It seems Keepass already fixed the problem. Their latest version 2.41 (article said version 2.40 was tested) states:

Changes from 2.40 to 2.41:
New Features:

Added option 'Do not store data in the Windows clipboard history and the cloud clipboard' (the option is turned on by default; for entry clipboard commands in the main window).
 
Diverse and strong password work best! TryTOOCrackTHISSONE!@#AT456SomeLevel^&*GOODLUCK!!!DAN$A
 
Diverse and strong password work best! TryTOOCrackTHISSONE!@#AT456SomeLevel^&*GOODLUCK!!!DAN$A

Sure, that's great. Now, how many web sites do you log into? How many apps? Servers? If you use the same password for each one, it only takes *ONE* database breach for your entire world to be compromised.

Here is a standard password example that I use - a different one for EVERY SINGLE SITE. I only need to remember ONE strong password, similar to yours, for my password manager master password.

2gZq887r65nsY!rB4kVpHTA8!h*$6D

For those of you who do not use a password manager, best wishes to you. I suggest that you invest in a service to help you detect and recover from identity theft.
 
Sure, that's great. Now, how many web sites do you log into? How many apps? Servers? If you use the same password for each one, it only takes *ONE* database breach for your entire world to be compromised.

Here is a standard password example that I use - a different one for EVERY SINGLE SITE. I only need to remember ONE strong password, similar to yours, for my password manager master password.

2gZq887r65nsY!rB4kVpHTA8!h*$6D

For those of you who do not use a password manager, best wishes to you. I suggest that you invest in a service to help you detect and recover from identity theft.
Lots and lots, the key is to have a brain that works......
 
Back