Password Manager study highlights potential leak issues
What would the result be if you analyze how popular password managers protect sensitive information such as the master password or stored passwords; that's what Independent Security Evaluators tried to find out in their analysis of five popular password managers running on Microsoft's Windows 10 platform.
The paper Password Managers: Under the Hood of Secrets Management looked at how the password managers 1Password, Dashlane, KeePass and LastPass handle secrets, and if it is possible to retrieve sensitive information.
The researchers analyzed the three states "not running", "unlocked state", and "locked state". Main conclusions were that all password managers protected data just fine in not running state.
Not running refers specifically to a session in which the installed password manager was not launched or terminated by the user after launch.
Locked state describes a state in which the master password has not been entered yet or in which the password manager was locked by the user or automatically.
The researchers discovered that all password managers leaked data in unlocked and locked state under certain circumstances. The password managers 1Password and LastPass leaked the Master Password in unlocked and locked state, Dashlane all stored records, and KeePass passwords and other sensitive information the user interacted with.
The researchers noted that all password managers were susceptible to keylogging or clipboard sniffing attacks.
How severe are the issues?
The discovered issues in the password managers sound very severe on first glance. The leaking of sensitive data is certainly an issue and some companies could certainly do better when it comes to that.
Good news is that the attacks require local access or access to a a compromised system to exploit the issue. It is additionally necessary to target the issue specifically which would only make sense for targeted attacks or if password usage increases to a point where it is lucrative enough to exploit the issue.
In the case of KeePass, the user would have to have interacted with password entries for them to be exposed in system memory.
The author of KeePass noted some time ago that the Windows operating system may create copies in memory that KeePass has no control over.
Windows and .NET may make copies of the data (in the process memory) that cannot be erased by KeePass.
KeePass users can furthermore protect their data against attacks by making changes to the application's preferences.
- Go to Tools > Options > Security.
- Check "Lock workspace after KeePass inactivity" and set it to the desired period, e.g. 300 seconds.
- Check "Lock workspace after global user inactivity (seconds)", and set it to a desired period, e.g. 300 seconds.
- Make sure "Clipboard auto-clear time (seconds, main entry list)" is checked.
- Check the "Always exit instead of locking the workspace" option. The option terminates KeePass instead of locking it.
These settings close KeePass automatically on inactivity and protect all data from unauthorized memory snooping. The downside to that is that you need to restart the program when you require it again.
Check out my guide on improving KeePass security here.
KeePass users could also consider running KeePass in a sandbox, e.g. using Sandboxie, or virtual environment.
I don't use the other password managers and cannot say whether they offer similar functionality.
Now You: Which password manager do you use?
Also to avoid keylogging of the master password the option “Enter master key on secure desktop” should be selected.
Great tip, did not know about this option!
Another potential mitigation is to use something like Empty Standby List by wj32 and create a task manager entry which would empty the standby memory list every X minutes.
Sadly Windows (especially Windows 10) keeps way too much data in the standby list be default, to the point where it causes stuttering in games like Battlefield 1 and 5 and jitter in rendering applications like AVS Video Editor.
Regarding Keepass: the analysis does not mention anything about the using of “key file” option (instead of the “master password”).
I don not use Keepass with a master password, but with a “key file” which i keep on a usb drive.
It’s easier as i do not have to type every time the master password. Also, If you are concerned about people hacking your machine, just take the usb key with you when you leave the PC.
If you’re paranoid, then use both options mater password+key file.
At least it remains only the god mode (implemented lately by intel/amd in their processors) or an exceptionally good hacker that can surpass this protection from my point of view.
The key file is also masterpassword but it is far more big, random and secure than without key file.
i think masterpassword in the paper (if they refered it) refers to whole masterpassword that used to encrypt/decrypt database and it is both key and masterpassword + others whole hashed several times (based on your setting)
I like Password Store. Free, local, encrypted, version controlled, command-line interface… absolutely beautiful. :)
It’s critical how this findings are communicated. So for KeePass it is possible in some cases, that malware can find parts of data in memory that have been interacted with – but at this point it would be much easier to run a keylogger, so the conclusion can’t be to not use KeePass because of this, but be aware of the limitations (same goes for android, where it’s much more secure to use a special keyboard or the new autofill api instead of copy and paste where every app can read the clipboard)
I agree. As others have mentioned, KeePass supports options to render most (all) keyloggers ineffective.
You can do the same with regard to keyloggers in LastPass by using the virtual desktop located in the password field. Once it shows on your desktop, after clicking on it, you will have to use your mouse to enter your username (email address) & master password.
“by using the virtual desktop located in the password field.” should read instead:
“by using the virtual keyboard located in the password field”.
Really sorry for the typo.
So, keyloggers are still a thing? And how would a keylogger ever manage to enter your system? Shouldn’t security (=antivirus) software block it? Oh wait… many security “experts” now say that antivirus software is redundant and you are much better off without one… or just use Windows Defender (in which case.. good luck to you).
Does using a tool like the YubiKey mitigate some of these issues?
what about bitwarden? its #1 on https://www.privacytools.io/