Big security flaws found in popular password managers

Bradley Prior

MyBroadband Journalist
Staff member
Super Moderator
Joined
Oct 16, 2018
Messages
5,013
Reaction score
1,581
Big security flaws found in popular password managers

A report by the Independent Security Evaluators (ISE) shows that many popular password managers store their master passwords in plain text, potentially exposing users’ data to hackers.

The ISE tested 1Password, Dashlane, KeePass, and LastPass on Windows, and found that all of these apps “fail in implementing proper secrets sanitisation”.
 
What a load of crap.


"In its findings, the ISE said if these password managers are running on your computer, hackers can look in your PC’s memory to access your login details for the app.

Until the flaws are fixed, the ISE recommends that users don’t leave their password manager apps running in the background – and rather open and close the apps each time they are used.

The ISE said that when it comes to protecting yourself against hackers, there is no better alternative to typing out your password in a document."
 
Still battling to find one app that I am happy with.
The problem with most of these apps is also how intrusive they are.
 
Glad I've never used them.
 
The point of password managers isn't to be hyper secure - it's to ensure you have unique passwords for every login. That is the single best defence against all the leaks and hacks constantly happening.

Also, if you use a YubiKey 4 or 5 as 2FA with every important service, incl. your password manager, then good luck to any hacker.

Have you tried Bitwarden?

Im using it at the moment, and I like it because its not intrusive.

+1 for Bitwarden. Had been using LastPass for years and tried out Bitwarden based on a suggestion here, and haven't looked back. In some respects it's less polished, but the usability is superior imo and Premium is more reasonably priced.
 
What a load of crap.


"In its findings, the ISE said if these password managers are running on your computer, hackers can look in your PC’s memory to access your login details for the app.

Until the flaws are fixed, the ISE recommends that users don’t leave their password manager apps running in the background – and rather open and close the apps each time they are used.

The ISE said that when it comes to protecting yourself against hackers, there is no better alternative to typing out your password in a document."

Wonder if they meant to say "this is no better alternative".

Still bollocks, but would lean a little less to the retarded side.
 
What a load of crap.


"In its findings, the ISE said if these password managers are running on your computer, hackers can look in your PC’s memory to access your login details for the app.

Until the flaws are fixed, the ISE recommends that users don’t leave their password manager apps running in the background – and rather open and close the apps each time they are used.

The ISE said that when it comes to protecting yourself against hackers, there is no better alternative to typing out your password in a document."
If hackers have compromised your PC and have full control of your PC so as to be able to examine memory, they they can install a key logger and capture your keystrokes.

If hackers have compromised your PC - your probably in trouble.
 
I use 1Password, always have.

Also, password managers, although imploring their own internal security of their DB, do also assume you're PC is somehow protected against keyloggers and a plethora of backdoors...
 
If hackers have compromised your PC and have full control of your PC so as to be able to examine memory, they they can install a key logger and capture your keystrokes.

If hackers have compromised your PC - your probably in trouble.
You don't need a fully compromised PC. An exploit could examine the memory and send the results home. Installing a key logger would be more difficult.
 
You don't need a fully compromised PC. An exploit could examine the memory and send the results home. Installing a key logger would be more difficult.
If an exploit...
An exploit could allow anything.
 
If an exploit...
An exploit could allow anything.
No it depends. A browser exploit for instance could allow leaking data but not allow installing a key logger so all your non browsing data would still be safe.
 
You seem to think that browser exploits only allow leaking memory contents.

Here is are exploits that allows full control of a machine via a browser:
https://www.cvedetails.com/cve/CVE-2018-8464/
https://www.cvedetails.com/cve/CVE-2018-1004/
https://en.wikipedia.org/wiki/JailbreakMe
I dont trust a browser at all. I assume that if an APT focuses on you, they can get in via your browser. Its not just these known exploits, its their huge selection of private exploits as well. I dont even know how to browse securely. Beyond something like Qubes.

Im thinking its time to get a hardware key.
 
I don't trust online password managers and I don't think anyone should use such a service. Your password security is at the mercy of said online service's developer, sys admin and data center. If any of these are compromised, you probably won't know about it and someone has all your passwords.
 
Top
Sign up to the MyBroadband newsletter
X