Security researchers recently came out with a new report suggesting that the password managers are not as safe as they are believed to be. Even the most popular password managers can give attackers access to your computer by storing the master passwords in the system memory and the attackers can retrieve the passwords from its memory. Security experts still consider them the best options or both enterprises and consumers even though the vulnerabilities are real. The report was released by a security consultancy – Independent Security Evaluators (ISE) and they argue that password managers are certainly a good thing. However, it has caused a debate in the security community but there is no need to panic or uninstall your password manager program because the security researchers continue to support the use of these applications.
As soon as the user enters the master password the key is loaded in the program’s memory and the vault is unlocked. However, the origin of the problem is that few or all individual passwords stored in the vault can also get copied temporarily in the program’s memory as they’re being used. It means that ISE is unable to delete these secrets from memory completely and some “residual buffers” are left behind. The attackers use these buffers to get the master password or individual user passwords. However, it is difficult computationally for an attacker to crack that password using brute-force techniques.
The organization has to take an immediate step to ensure that the password managers effectively delete all data that could lead to a potential compromise when an application is running in the background in a locked state. It is expected that the security concerns are dealt with immediately and the security flaws are reduced. Till the bugs in the security system are squashed, the ISE suggests not to keep a password manager app running in the background. Don’t do it even if in a locked state. Also if your password managers are affected, stop using it. End the process completely and quickly. Do install a good antivirus on your computer.
Although memory scraping attacks can be the biggest concern as the malware or an attacker can find out the contents of the RAM. The hacker would need access to the local computer to carry out such an attack. A hacker has a master password would not be as bad as having the passwords for the accounts that are protected by the password manager. An attacker can obviously use the method of keylogging to get these passwords which is why even the ISE researchers admit that there is very little protection given to the victims of keylogging or clipboard sniffing malware/methods.
Experts Say Keep Using Password Managers Despite The Vulnerability
Having weak passwords or reusing the same password for multiple accounts result in a huge number of account compromises. Keep unique and different passwords for your online accounts. To accomplish this goal a password management application is seemingly the best option. Any data can be taken from the memory of a system if malware is run on the system. An attacker can also run a keylogger and get passwords ad no special knowledge is required for this. The advantages of using password managers are much more than the risks involved in it.
Security experts believe that the false ideal of eliminating risk is one of the main issues facing information security. Risks cannot be eliminated but mitigated as much as possible. There is no need to react instantly as far as the security of password managers is concerned. Understand the risk and make an informed decision. There are ways to reduce the risk of abuse. Use a strong passphrase for the master password. Don’t rely on a single key, use two- or even three-factor authentication – a password, a passcode, and fingerprint, iris/face scan, etc.). Refrain from using any device that you do not necessarily trust.