International. Even though security experts refrain from using password managers, a new report from Independent Security Evaluators (ISE) has found that several of the most popular applications have fundamental flaws that expose data that make them more secure than saving passwords on a network. plain text file.
The new report titled "Under the Hood of Secrets Management," revealed serious weaknesses with the top password managers: 1Password, Dashlane, KeePass, and LastPass. IsE researchers said they examined the underlying functionality of these products in Windows 10 to understand how users' secrets are stored even when the password manager is locked. The report indicates that more than 60 million individuals, 93,000 companies worldwide trust password managers.
"One hundred percent of the products ISE analyzed did not provide the security to safeguard users' passwords as advertised," said Stephen Bono, CEO. "Although password managers provide some utility for storing login/passwords and limit password reuse, these apps are a vulnerable target for mass collection of this data through malicious hacking campaigns."
One of the report's main findings was that, in certain cases, the master password resided in the computer's memory in a readable format of simple text: one method, which the report claims, is no more secure than storing it in a document or on the desktop as far as an adversary is concerned. Users believe the information is secure when the password manager is locked, the researchers argue. However, once the master password is available to the attacker, they can decrypt the password manager database, stored secrets, usernames, and passwords. ISE demonstrated that it is possible to extract master passwords and other login credentials from memory while the password manager was locked.
By using a proprietary reverse engineering tool, ISE analysts said they could quickly assess the handling of password managers' secrets in their locked state. ISE found that standard forensics memory can be used to extract the master password and secrets it is supposed to hold.
"Given the huge user base of people already using password managers, these vulnerabilities will prompt hackers to identify and steal data from these computers through malware attacks," said Adrian Bednarek, principal investigator at ISE. "Once they have your master password, the game is over."
"People believe that using password managers makes their data safer and more secure on their computer," said Ted Harrington, executive partner at ISE. "Our research provides a public service to the providers of these widely adopted products who must now mitigate attacks based on discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness."
The report recommends that to keep secrets more secure until vendors troubleshoot the issues, password manager users should not leave the password manager running in the background, even in a locked state, and end the process entirely if they are using one of the affected password managers. .
The report, ISE said, is part of its ongoing research initiative to protect consumers and businesses and inform manufacturers about vulnerabilities that could expose their customers to risks. All vulnerabilities and relevant research findings have been responsibly disclosed to manufacturers, the company said.
Source: TechCentral.
