Top password manager apps are leaving your secrets fully exposed – study

Security conscious tech enthusiasts will tell you a password manager is the best way to safeguard your account details in one place, while ensuring you aren’t tempted to commit the cardinal sin of reusing passwords.

However, new research published by the Washington Post has claimed five of the most popular password management services have serious security flaws. The study from the ethical hackers Independent Security Evaluators asserts that a number of the top apps are vulnerable to ‘targeted malware attacks’.

According to the ISE report, the Windows 10 apps 1Password, Dashlane, KeePass, LastPass and RoboForm often left passwords exposed within the computer’s memory, while apps were in ‘locked’ mode.

As a result, hackers who gain access to a PC would essentially be able to access these passwords in plain text, according to the study. Worse still, the 1Password, LastPass and Roboform served up the master passwords to the account.

Lead researcher Adrian Bednarek summed it up as such: “The ‘lock’ button on password managers is broken — some more severely than others.”

In the abstract, the researchers wrote: “We anticipated that password managers would employ basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitisation of memory once a password manager was logged out and placed into a locked state. However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.”

The researchers concluded that web and app users are still better off using password management apps than not, even the ones affected by the security flaws. However, the researchers call on the industry as a whole to up their game to stop users becoming low-hanging fruit for hackers.

They add: “If password managers fail to sanitise secrets in a locked running state then this will be the low-hanging fruit, that provides the path of least resistance, to successful compromise of a password manager running on a user’s workstation.”

If we can’t trust password management apps to safeguard our account details, can we trust anyone? Share your thoughts @TrustedReviews on Twitter.

Unlike other sites, we thoroughly review everything we recommend, using industry standard tests to evaluate products. We’ll always tell you what we find. We may get a commission if you buy via our price links. Tell us what you think – email the Editor