
A new day, a new bug. A new day, a new vulnerability. You probably already heard that someone found a vulnerability in the programs 1Password, LastPass, Dashlane, and KeePass. This only concerns Windows users. As a Mac user you do not have to worry about at this moment. The researchers only looked at Windows 10. How further? What does this say about the security of the password lockers’ password?
Not much. It seems more like a bug in Windows than a vulnerability in password managers. The researchers have discovered it is possible to extract the master password of the password managers from the memory of a computer. Even if the password manager is locked. Getting data from the memory of a computer is more often cited as vulnerability and is a problem with different Windows versions because some data temporarily remains available in memory for reuse. The researchers state that the master password should not continue in memory, not even encrypted. If you change this, new vulnerabilities will arise and you will make the use of a password manager a lot less user-friendly.A malicious person must have physical access to use this vulnerabilityHow big is the chance that a malicious person will find out your regular password from your system and then use your computer or laptop unnoticed and use this trick to open your password manager? We think it’s Rather small! Malicious people have more easy ways to access the password of your password manager. Installing a Keylogger can be done remotely. Of course, this does mean you often do not have your operating system in order or that you visit unsafe websites.
A recording of the vulnerability
Researcher Adrian Bednarek made a recording of the vulnerability. In addition, he shows a program that he wrote. He uses it to extract the master password from a 1Password version 4 user. As you can see, the password manager is locked the moment he runs the program. (Adrian Bednarek / Independent Security Evaluators)
We’re sticking with the statement: “as far as we known, a malicious person has never gained access to a data locker from a password manager without a master password.”.Also read our article why you still should switch to a password manager today. Plus our article about choosing strong passwords. Contact us if you have questions about this vulnerability within Windows 10 or if you have doubts about your online safety. We are happy to help improve this.
Your online concept starts at Snoober Media
A series about security
It is important to us to inform about online security. Therefore read the previous article, “Security 5 | Do you already use a password manager?“, about security. Soon you will read a new article in this series.