A new day, a new bug. A new day, a new vulnerability. You probably already heard that someone found a vulnerability in the programs 1Password, LastPass, Dashlane, and KeePass. This only concerns Windows users. As a Mac user you do not have to worry about at this moment. The researchers only looked at Windows 10. How further? What does this say about the security of the password lockers’ password?
Not much. It seems more like a bug in Windows than a vulnerability in password managers. The researchers have discovered it is possible to extract the master password of the password managers from the memory of a computer. Even if the password manager is locked. Getting data from the memory of a computer is more often cited as vulnerability and is a problem with different Windows versions because some data temporarily remains available in memory for reuse.
The researchers state that the master password should not continue in memory, not even encrypted. If you change this, new vulnerabilities will arise and you will make the use of a password manager a lot less user-friendly.
A malicious person must have physical access to use this vulnerability
How big is the chance that a malicious person will find out your regular password from your system and then use your computer or laptop unnoticed and use this trick to open your password manager? We think it’s Rather small!
Malicious people have more easy ways to access the password of your password manager. Installing a Keylogger can be done remotely. Of course, this does mean you often do not have your operating system in order or that you visit unsafe websites.
Contact us with questions regarding this vulnerability
A recording of the vulnerability
Researcher Adrian Bednarek made a recording of the vulnerability. In addition, he shows a program that he wrote. He uses it to extract the master password from a 1Password version 4 user. As you can see, the password manager is locked the moment he runs the program.
(Adrian Bednarek / Independent Security Evaluators)
The American consultancy firm Independent Security Evaluators (ISE) has discovered the vulnerability
. In a response to this discovery, KeePass and 1Password let us know that this is a known limitation of Windows 10. According to 1Password, changing the way in which the memory deals with the master password involves different security risks. According to them, this vulnerability provides an acceptable risk.
Because the chance someone has physical access to your system who is going to abuse it is so small, it seems to us a negligible risk also. Especially for the average user. You are not interesting enough to spend so much time, energy and resources ons. Malicious people generally always seek vulnerabilities that can be used on a large scale. They then have a much larger pool to fish out of and are more likely to succeed.
It’s easier to find out one password from a persons online account and then using it to access the other online accounts of the user.
Having one strong password for different accounts gives us a much greater risk than the use of tens or hundreds of strong random passwords in a password manager, with a strong master password, which is different than the password of your system.
We’re sticking with the statement: “as far as we known, a malicious person has never gained access to a data locker from a password manager without a master password.”.
Also read our article why you still should switch to a password manager today
. Plus our article about choosing strong passwords
us if you have questions about this vulnerability within Windows 10 or if you have doubts about your online safety. We are happy to help improve this.
Your online concept starts at Snoober Media
A series about security
It is important to us to inform about online security. Therefore read the previous article, “Security 5 | Do you already use a password manager?“, about security. Soon you will read a new article in this series.
Curious? Leave your details
Review score: 4.8 out of 5
Food for Thought
Why are companies like Instagram and TikTok so successful? They must have something in common and that’s true. Their business models are based on the platform thinking theory. This often->
Do you also get annoyed about 404 notifications? They are killing for your webshop or website. How do you make a cool 404 page? View the coolest we encountered below.->
Corporate identity News Snoober Media
What a euphoria! As of November 1st we will be located in our new office at the Kuiperstraat in Zutphen. A new place to do our customers and our own->
What about the preparations for the holidays? The stocks for Black Friday and Christmas must have been ordered and delivered by now. Of course you also have your content calendar->
You regularly hear messages in the media about the hacks and malware that nestle in unsafe installations of WordPress. So much is being written about it that we’ve noticed our->
News Snoober Media
For us it is important that you know what agreements we have with each other. Transparency is a high priority for us. Our newest terms and conditions take effect today,->
Do the next holidays seem far away for you? Let me tell you they are not. To make full use of the shopping madness around Black Friday, Cyber Monday and->
Do you know that WordPress is older than Facebook and Twitter? It is therefore not surprising that WordPress as CMS has the largest market share. It fluctuates but WordPress always->
No images found.