Security 6 | Does the latest news about the use of your password manager scare you?

A new day, a new bug. A new day, a new vulnerability. You probably already heard that someone found a vulnerability in the programs 1Password, LastPass, Dashlane, and KeePass. This only concerns Windows users. As a Mac user you do not have to worry about at this moment. The researchers only looked at Windows 10. How further? What does this say about the security of the password lockers’ password?

Not much. It seems more like a bug in Windows than a vulnerability in password managers. The researchers have discovered it is possible to extract the master password of the password managers from the memory of a computer. Even if the password manager is locked. Getting data from the memory of a computer is more often cited as vulnerability and is a problem with different Windows versions because some data temporarily remains available in memory for reuse. The researchers state that the master password should not continue in memory, not even encrypted. If you change this, new vulnerabilities will arise and you will make the use of a password manager a lot less user-friendly.
A malicious person must have physical access to use this vulnerability
How big is the chance that a malicious person will find out your regular password from your system and then use your computer or laptop unnoticed and use this trick to open your password manager? We think it’s Rather small! Malicious people have more easy ways to access the password of your password manager. Installing a Keylogger can be done remotely. Of course, this does mean you often do not have your operating system in order or that you visit unsafe websites.

A recording of the vulnerability

Researcher Adrian Bednarek made a recording of the vulnerability. In addition, he shows a program that he wrote. He uses it to extract the master password from a 1Password version 4 user. As you can see, the password manager is locked the moment he runs the program. (Adrian Bednarek / Independent Security Evaluators)
Contact us with questions regarding this vulnerability The American consultancy firm Independent Security Evaluators (ISE) has discovered the vulnerability. In a response to this discovery, KeePass and 1Password let us know that this is a known limitation of Windows 10. According to 1Password, changing the way in which the memory deals with the master password involves different security risks. According to them, this vulnerability provides an acceptable risk. Because the chance someone has physical access to your system who is going to abuse it is so small, it seems to us a negligible risk also. Especially for the average user. You are not interesting enough to spend so much time, energy and resources ons. Malicious people generally always seek vulnerabilities that can be used on a large scale. They then have a much larger pool to fish out of and are more likely to succeed. It’s easier to find out one password from a persons online account and then using it to access the other online accounts of the user. Having one strong password for different accounts gives us a much greater risk than the use of tens or hundreds of strong random passwords in a password manager, with a strong master password, which is different than the password of your system.
We’re sticking with the statement: “as far as we known, a malicious person has never gained access to a data locker from a password manager without a master password.”.
Also read our article why you still should switch to a password manager today. Plus our article about choosing strong passwords. Contact us if you have questions about this vulnerability within Windows 10 or if you have doubts about your online safety. We are happy to help improve this.

Your online concept starts at Snoober Media

A series about security

It is important to us to inform about online security. Therefore read the previous article, “Security 5 | Do you already use a password manager?“, about security. Soon you will read a new article in this series.

Curious? Leave your details

    Also interesting


    Follow us on Instagram, Facebook and Twitter

    Could not scrape from Instagram (scraping is a deprecated method to retrieve images).

    Leave a Reply