1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Password managers aren't perfect, but they're better than nothing

By Shawn Knight · 21 replies
Feb 20, 2019
Post New Reply
  1. As security researcher Troy Hunt once wrote, “Password managers don’t have to be perfect, they just have to be better than not having one.” According to a recently published report from Independent Security Evaluators (ISE), they’ve more or less accomplished that goal.

    ISE put five popular password managers to the test – 1Password4 for Windows version, 1Password7 for Windows version 7.2.576, Dashlane for Windows version 6.1843.0, KeePass Password Safe version 2.40 and LastPass for Applications version 4.1.59 – to see just how secure they are.

    The researchers found that in every case, trivial secret extraction was possible from a locked password manager. In some cases, they were even able to collect the master password.

    With 1Password4, ISE found reasonable protections against exposure of individual passwords in the unlocked state. However, it is possible to recover and deobfuscate the master password due to the fact that it isn’t scrubbed from memory after placing the manager in a locked state.

    Surprisingly enough, ISE said the current release, 1Password7, was less secure in the running state than the aforementioned legacy version. Unlike 1Password4 which kept only one entry at a time in memory, 1Password7 decrypted all individual passwords as soon as it was unlocked and cached them in memory. Worse yet, the manager doesn’t scrub individual passwords, the master password or the secret key from memory when transitioning from unlocked to locked state.

    In testing Dashlane, ISE noted the use of memory / string and GUI management frameworks to prevent secrets from being passed to various OS APIs that could expose them to eavesdropping by malware. Dashlane also only exposes one active entry in memory at a time although unfortunately, “once a user updates any information in an entry, Dashlane exposes the entire database plaintext in memory and it remains there even after Dashlane is logged out of or ‘locked’.”

    Like 1Password4, open-source KeePass decrypts entries as they are interacted with but critically, they all remain in memory as they aren’t individually scrubbed after said interaction. On the bright side, ISE found that the master password is scrubbed from memory and thus, not recoverable.

    LastPass is similar to 1Password4 in that it obfuscates the master password as it is being typed into the unlock field. Once the manager enters an unlocked state, database entries are decrypted into memory although only upon user interaction. Unfortunately, the entries linger in memory even after LastPass is put back into a locked state.

    In conclusion, ISE notes that all password managers tested sufficiently secured secrets while in a “not running” state, meaning if someone gathered a database from a disk and if a strong master password was used, brute forcing would be computationally prohibitive. However, each also fails in implementing proper secrets sanitation for various reasons.

    Lead image courtesy EtiAmmos via Shutterstock

    Permalink to story.

  2. fluffydestroyer

    fluffydestroyer TS Enthusiast Posts: 35   +17

    I hope KeePass devs look at this and implement the tweaks and fixes and update their software. Thats nice to know.
  3. rrwards

    rrwards TS Enthusiast Posts: 36   +56

    I'd be interested in seeing how Bitwarden compares too
  4. Danny101

    Danny101 TS Guru Posts: 714   +266

    Until it's hacked, then it's worse than nothing.
  5. Docus

    Docus TS Enthusiast Posts: 25   +12

    It looks like they just received some sort of EU funding for development, so hopefully they have the resources to tackle this.
    fluffydestroyer likes this.
  6. TomSEA

    TomSEA TechSpot Chancellor Posts: 3,093   +1,545

    “Password managers don’t have to be perfect, they just have to be better than not having one.”

    That's not the most rousing vote of confidence I've ever heard for password managers. I mean you're required to have a password for every app I can think of. How can you "not" have one?
  7. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,757   +1,149

    Exactly that, if you don't have one it's already a bad scenario.

    I wish the report doesn't sprawl a lot of attention from malicious actors...
  8. Evernessince

    Evernessince TS Evangelist Posts: 3,800   +3,187

    I'd argue that while security is important, the detrimental effect it has on your own ability to remember your own passwords is worse. Essentially by removing the burden of having to remember passwords you've created a new issue in that your digital life is in complete control of a password manager and you can't do anything without it. Not flexing your ability to recall isn't a good thing either. Your brain needs to exercise just like your body.
    Godel, Danny101 and cliffordcooley like this.
  9. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,757   +1,149

    I might be living in a different world, but I don't see myself remembering 10+ complex unique passwords, unless using one of the cliches from the internet (WhereThisIsMyPassword... WhrThssMPsswrd.[random number here]).

    Having a system to remember means there is a chance that the system can be cracked, what happens when you need to change said passwords? And so forth. Technically speaking, the best password is the one you don't know.
    Godel likes this.
  10. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,208   +4,877

    I can honestly say, I will never use a password manager.
    Danny101 likes this.
  11. Danny101

    Danny101 TS Guru Posts: 714   +266

    I keep a record, so I don't have to.
  12. learninmypc

    learninmypc TS Evangelist Posts: 8,729   +570

  13. PEnnn

    PEnnn TS Enthusiast Posts: 57   +55

    It seems Keepass already fixed the problem. Their latest version 2.41 (article said version 2.40 was tested) states:

    Changes from 2.40 to 2.41:
    New Features:

    Added option 'Do not store data in the Windows clipboard history and the cloud clipboard' (the option is turned on by default; for entry clipboard commands in the main window).
  14. wontolla

    wontolla TS Rookie

    I use RoboForm since 2016, best password manager I´ve used.
  15. fktech

    fktech TS Maniac Posts: 512   +128

    Diverse and strong password work best! TryTOOCrackTHISSONE!@#AT456SomeLevel^&*GOODLUCK!!!DAN$A
  16. HyperPete

    HyperPete TS Enthusiast Posts: 44   +12

    Sure, that's great. Now, how many web sites do you log into? How many apps? Servers? If you use the same password for each one, it only takes *ONE* database breach for your entire world to be compromised.

    Here is a standard password example that I use - a different one for EVERY SINGLE SITE. I only need to remember ONE strong password, similar to yours, for my password manager master password.


    For those of you who do not use a password manager, best wishes to you. I suggest that you invest in a service to help you detect and recover from identity theft.
  17. learninmypc

    learninmypc TS Evangelist Posts: 8,729   +570

    I remembered your post when I saw the article so I posted it.
  18. fktech

    fktech TS Maniac Posts: 512   +128

    Lots and lots, the key is to have a brain that works......
  19. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,208   +4,877

    The way we are going, that will be hack-able before long.
  20. HyperPete

    HyperPete TS Enthusiast Posts: 44   +12

    Well, I'm certainly glad that you have convinced yourself! ;-)
  21. fktech

    fktech TS Maniac Posts: 512   +128

    Too true!
  22. fktech

    fktech TS Maniac Posts: 512   +128

    cliffordcooley likes this.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...