Password managers may leave your online crown jewels 'exposed in RAM' to malware – but hey, they're still better than the alternative

www.theregister.co.uk | 2/20/2019 | Staff
spiderMonkey (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2018/12/18/shutterstock_key.jpg

A bunch of infosec bods are taking some of the most popular password managers to task after an audit revealed some mildly annoying, non-world-ending security shortcomings.

Researchers at ISE declared on Tuesday that the likes of 1Password, KeePass, LastPass, and Dashline all have vulnerabilities that would potentially allow malicious software on a Windows machine to steal either the master password or individual passwords stored by the applications.

Problem - Memory - Management - Degree - Password

The problem here is mainly secure memory management. To some degree, every one of the four password managers left passwords – either the master password or individual credentials – accessible in memory. This would potentially allow malware on a system, particular malware with admin rights, to obtain those passwords.

And yeah, sure... we know. We get it. If spyware has infected your computer, you're pretty much screwed. The point here is to demonstrate that software nasties can potentially mine all your login details straight from your password manager in one go. Think of this as a heads up to developers of passphrase managers, and malware researchers.

Malware - Hold - PC - Password - Manager

For what it's worth, we reckon that if malware has taken hold of your PC it could probably impersonate your password manager, and snaffle your master passphrase that way, but hey, why go to that trouble if the goodies are laying around in RAM? What we're saying here is: this isn't anything to panic over right now – it's something the designers of password managers, at least, should now be aware of.

The team noted that the password managers are not vulnerable when they are not running, such as right after the system boots up, but rather are exposed after the user opens the manager and types in their master password. That means the passwords stored...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!