Research: master password of password managers can be retrieved via memory

Spread the love

Security researchers show that the master password of password managers such as 1Password and LastPass can be retrieved. This is possible with a targeted attack on the memory of Windows 10 computers.

The study by the independent American consultancy Independent Security Evaluators focuses on 1Password, KeePass, LastPass and Dashlane for Windows 10. The researchers looked at whether the password managers left traces in the memory and tried to decipher passwords.

Dashlane and KeePass do the best at protecting the master password. LastPass and two versions of 1Password failed that test. The researchers were able to retrieve the master password from those password managers via the memory. This requires access to the computer and the password manager must be active; so it is only possible with a targeted attack.

The companies behind the software react differently to The Washington Post. LastPass says it will release an update this week, Dashlane says it’s been working on a fix for a while, but there are higher priority security concerns. KeePass and 1Password state that it is an acceptable risk and that it is a known limitation of Windows 10.

According to the researchers, it is unknown how widespread this knowledge is among malicious parties. There is no evidence that such attacks have been carried out on password manager users.

The researchers conclude that password managers in unlocked state should not leave passwords in memory. Only the password that is actively looked at during use should be loaded into memory. They also believe that the master password should not be present in an encrypted form.

Finding the master password in the memory while the software is in locked state is the most serious problem for the researchers. They therefore state that the administrators of the password managers should work on this. The researchers also point out the dangers of keyloggers and argue that password managers should do more to discover and thwart such malicious software.

Update: 1Password is responding to the inquiry on its own forum. The software maker emphasizes in the response that the vulnerabilities found are not new and are inherent in the operation of ‘many operating systems’. In addition, 1Password emphasizes that attackers must already have access to a system in order to use the vulnerability. Changing the way 1Password handles memory would introduce other security risks.

Animation in which a researcher demonstrates the recovery of the master password in 1Password

You might also like