Severe Vulnerabilities Uncovered In Popular Password Managers

chiefcrash shares a report from ZDNet: Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers, including LastPass and KeePass. The team said that each password management solution "failed to provide the security to safeguard a user's passwords as advertised" and "fundamental flaws" were found that "exposed the data they are designed to protect."

The vulnerabilities were found in software operating on Windows 10 systems. In one example, the master password which users need to use to access their cache of credentials was stored in PC RAM in a plaintext, readable format. ISE was able to extract these passwords and other login credentials from memory while the password manager in question was locked. It may be possible that malicious programs downloaded to the same machine by threat actors could do the same. The report has summarized the main findings based on each password management solution. Here's what ISE had to say about LastPass and KeePass -- two of the most popular password managers available:

"LastPass obfuscates the master password while users are typing in the entry, and when the password manager enters an unlocked state, database entries are only decrypted into memory when there is user interaction. However, ISE reported that these entries persist in memory after the software enters a locked state. It was also possible for the researchers to extract the master password and interacted-with password entries due to a memory leak."

"KeePass scrubs the master password from memory and is not recoverable. However, errors in workflows permitted the researchers from extracting credential entries which have been interacted with. In the case of Windows APIs, sometimes, various memory buffers which contain decrypted entries may not be scrubbed correctly."

I enjoy memorizing passwords.

[Anonymous Coward]

Fuck lazy horse batteries.

2 Factor vaults

[JaredOfEuropa]

Are there any decent USB stick based password vaults? Something that stores credentials internally and manages decryption after entering the master password. You’d still need to take care that the master password or decrypted credentials don’t linger in memory, but I’d feel better having the master data offline instead of having everything floating around in the cloud.

Even better would be an unlock pin (or fingerprint) to be entered on the USB stick itself.

Re:2 Factor vaults

[grep -v '.*' *]

Are there any decent USB stick based password vaults? Even better would be an unlock pin (or fingerprint) to be entered on the USB stick itself.

Great! Then all I'd need is your USB password stick and your finger. The rest of you and your computer can stay behind. I'd rather have the XKCD wrench, thank you.

Re:

[DethLok]

Needs a mod for "terrifying"...

Re:

[Anonymous Coward]

Neither of those solutions are air gapped.

That is the problem with software based password managers. If you use them on a compromised system you give up all your passwords.

There aren't many clever solutions out there that is better than post-it next to the computer.
If you want to get fancy you can have a notebook with your passwords written in an obfuscated form without complete information to what they are for.

Re:2 Factor vaults

[plazman30]

I was thinking the same thing. You have hardware level access to a PC to the point where you can read RAM in order to get someone's master password from their password manager? Why would you bother? Just install a keylogger instead and you can have all sorts of fun.

Re:

[Anubis IV]

To be fair, there may be forensic value in what they’re doing, such as if the PC has been confiscated as evidence and the user won’t be returning to unlock it anytime soon. Being able to unlock the vault without the need for a keylogger could be a major victory in that situation.

Re:

[Anubis IV]

The problem with your theory is that you need the user to unlock the keyvault.

While that's true for the sort of malware described in the summary, that's hardly the only way to approach the issue. After all, if the problem is that confidential data is being persisted in memory when it shouldn'tbe, there's nothing stopping a forensic investigator from dumping the contents of memory after the fact to exploit these weaknesses, hence my suggestion.

But I do agree that if you're installing malware on their system and expect them to use it again after you do, you'd be better off with a keylo

Re:

[93 Escort Wagon]

I was thinking the same thing. You have hardware level access to a PC to the point where you can read RAM in order to get someone's master password from their password manager? Why would you bother? Just install a keylogger instead and you can have all sorts of fun.

I recall that, a few years ago, the encrypted OS X keychain was shown to have similar vulnerabilities as are being described here. Mac users who said more or less the same thing you did now were not always treated kindly on this forum.

To be fair, there are probably cases where this sort of vulnerability might turn out to be useful - nation-state level espionage for instance. Most of us probably don’t live or work in that realm, though.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JaredOfEuropa]

They can't get the code if you enter it on the USB device itself. But even if the PIN is entered in the browser plugin for the device, you'd still want a physical button on the stick for each password retrieval. In that case, even if they manage to get your PIN and compromise the browser plugin so they can issue password retrieval requests remotely, they still won't be able to push that button and approve such requests. They get a couple of passwords at best, not the whole file and the master key.

Re:

[ilsaloving]

Having it stored on USB wouldn't solve anything because the problems described in the article refer to passwords sitting in plain text in memory while the password manager process is running.

Running a password manager from a USB key wouldn't solve that. At least, not directly. Quitting the application and giving the OS time to overwrite the used memory with new data would be a workaround to the problem regardless of where your vault is physically stored.

The only way to mitigate the problem completely is t

Re:

[TVmisGuided]

KeePass on a USB stick, in conjunction with a YubiKey and HOTP configuration, gives you two of the three security factors in just two USB slots. An attacker would need the master password AND both devices to gain access to your password database, and they'd have to know how you have your YubiKey configured to generate HOTPs. A preset number of failed YubiKey triggering attempts, and the database is locked. And good luck guessing the hash that generates the HOTPs. Doubly so since YubiKey configurations can't

Re:

[ctilsie242]

IronKeys used to have this feature, but not sure what has happened to them since they were bought out, or which models still have this around.

Re:

[pnutjam]

This is exactly what Keepass is designed to support. There is a portable version you can keep on your usb stick.

'severe'

[Njovich]

So security researchers are scraping the bottom of the barrel to such an extent that having access to program data when you have total control over a computers memory is a severe vulnerability now?

Re:'severe'

[OffTheLip]

Users of this "vulnerability" are most likely state actors/law enforcement agencies, and 3 letter organizations. They have your computer, they need your password protected data.

Re:'severe'

[AmiMoJo]

Keepass is basically as good as it can ever possibly be. The "vulnerability" they found relates to the fact that when it displays entries on screen Windows will make copies of some of the data to create the GUI, and there is no effective way to scrub that.

Which is basically irrelevant because 99% of the time the user is going to use that information on the same machine anyway, i.e. they will copy/paste it into a browser or encryption app. So the attacker needs to have control of the machine in order to read process memory, and even if somehow Keepass blocked them they could likely just recover it from keystrokes, the clipboard or the app it's being used it.

The main risk is that the app crashes and the secret data can be recovered from the crash dump, but Keepass prevents that happening. Unfortunately they don't seem to have tested that attack.

Re:

[drinkypoo]

That was a cool comment until the part where you hit submit before telling us which one it is.

Re:

[Anonymous Coward]

Keepass has the feature he mentioned, called auto-type. You can initiate it either from KeePass, where it will minimize the keepass window and start typing in whatever window was underneath, or you can configure a global hotkey, which will make keepass run a search based on window title for the relevant password entry.

Re:

[sexconker]

KeePass also has a feature that obfuscates autotyping. TCATO I believe, for two-channel auto type obfuscation.
It just doesn't type your password, it types characters, moves the cursor around, types others, pastes certain bits, etc.

It'll fool the common sniffer software, but anyone with a full dump (including what was copied and pasted pasted - most software keyloggers don't do that, and in-line hardware keyloggers can't do that) can of course replay it to get the password.

Re:

[l0n3s0m3phr34k]

Yes, this is NOT a real vulnerability. Neither CVE or NIST shows anything for Keepass 2.41; until something shows up here it's "unsubstantiated" aka like a "unpublished peer review".

Other ways to display data

[Comboman]

Keepass is basically as good as it can ever possibly be. The "vulnerability" they found relates to the fact that when it displays entries on screen Windows will make copies of some of the data to create the GUI, and there is no effective way to scrub that.

Are you kidding? That's easy, don't use system fonts to display the password on-screen. It takes a bit of effort to create letters from graphic elements like lines and semi-circles but it's much safer (/-\ = A, etc). You could even randomize the angles

Re:Other ways to display data

[drakaan]

Well, yes, but since you're most likely going to be doing a copy/paste out of the field with the password in it, that vulnerability is going to be eclipsed by the vulnerability of being able to grab what's in the clipboard. KeePass already doesn't show you the password by default when you open an entry. You have to click the little "show password" button. They could have easily made the password display as a bitmap image instead of text, but I'm assuming they didn't for the same reason I just mentioned. I mean, you can make it not ever display text, but instead read the password aloud, but each of the mitigations mentioned are just going to make people not use that password manager because it becomes inconvenient. Ultimately, if you don't just have all of your passwords memorized, you are vulnerable to some sort of attack that doesn't involve the wrench technique.

Re:

[93 Escort Wagon]

Well, yes, but since you're most likely going to be doing a copy/paste out of the field with the password in it, that vulnerability is going to be eclipsed by the vulnerability of being able to grab what's in the clipboard.

By default, the Mac port “MacPass” removes a copied password from memory after a length of time (either 15 or 30 seconds, I believe). I assume they adopted this behavior from KeePass proper, but don’t know that first hand.

Re:

[sexconker]

And the chunk of memory showing how to draw those things will possibly be copied out by Windows.

The OS has full control over memory. KeePass cannot fix this. There is nothing to fix. If your box is pwned you lose regardless.

Re:

[GrandCow]

The weak link is always the human.

If you're determined enough as a 3-letter agency to get in, then you can also disappear the person. Beat them enough and they'll give up the password. That beating can be either physically beating, or mental by doing things to family, friends, bank accounts, etc.

Re:

[Cmdln Daco]

Translation: None of us should fret about this hyped up topic. Unless we are actors on the level where a government agency is going to come after us.

And no, few if any people on Slashdot meet that criterion. No matter how much we herp and derp about it.

even Q-class answer to an ROI

[epine]

If you're determined enough as a 3-letter agency to get in, then you can also disappear the person.

Yes, of course. The good, old TLA infinite-budget porn.

Your position in the security food chain determines how much they are willing to spend. Even well-healed Q-class spooks answer to an ROI at scale.

Of course, part of the signal about your rung on the security food chain is determined by how effectively you armour yourself with effective prophylaxis.

This is why security culture can only work as a public good

Re:

[Jeppe Salvesen]

Or whoever established a foothold on a computer and is looking to expand their territory. Let's say they got something running from a drive-by infection. They can now proceed to access social media, buy stuff with the owner's money using amazon 1-click and so forth. Maybe even find the owner's actual comments on Pornhub in order to make the extortion mails more believable. Industrial espionage. Basically, these vulnerabilities can result in monetary gain for the attacker so it'll attract some proper talent.

Re:'severe'

[Njovich]

If you suspect the CIA/NSA is really after you I wouldn't recommend you to use Lastpass, or Windows. In fact your options are pretty limited and I would highly recommend to not get into that situation in the first place.

Re:

[strikethree]

If you suspect the CIA/NSA is really after you I wouldn't recommend you to use Lastpass, or Windows.

Or any modern CPU. That "management" feature that you can't disable? Yeah, that is a back door. Even worse, I know for a fact the Intel CPUs were being built with 3G chipsets inside of them, so even being "offline" isn't good enough. The entire computing environment needs to be TEMPEST shielded, as in Enemy of the State.

I assume they have upgraded from 3G in their CPUs. You simply can not trust any modern technology if the CIA/NSA is after you.

It should also be noted that it is not technically difficult to

Re:

[flirek]

Main memory of today's computers cannot be considered "private" & "secure" enough as Intel IME and similar garbage can directly read from it. Assumption that you have total control of memory is false.

Re:

[Zehsi]

your assumption that every computer has intel cpu is also false.

Re:

[cjeze]

uh. it is absolutely not the bottom of the barrel. Most exploits works from inside the computer, if there are proven tools that can extract passwords and passphrases from memory it is just a matter of time before they can take over your whole life. If not fixed quickly exploits are going to pop up in the wild in 3..2..1..

Re:

[msauve]

Whoosh.

If a bad actor has control over a computer, they can simply use a keylogger. Way easier, and way less data to weed through.

WARNING! SECURITY ALERT! If someone has control of your computer, they have control of your computer.

Re:

[scdeimos]

Is it bottom of the barrel? I think it's healthy to stop and think about how password managers get used. If it makes you reconsider keeping your password manager open and unlocked all day every day, as opposed to only when you need it, this is a benefit. I'd never considered the implications of the Show/Hide Asterisks feature in KeePass, for example.

It's also important to remember: an attacker might have access to the memory of your computer, in which case you've lost the battle for your computer, but if th

Re:

[Anonymous Coward]

Is it bottom of the barrel? I think it's healthy to stop and think about how password managers get used. ...
but if they can also score all your usernames and passwords as well, that really does give them the keys to the kingdom.

I'd say yes, at least with their keepass results, this is bottom of the barrel.

They say this is a vulnerability in keepass, yet the only place in ram they found plaintext keys was from the windows API.
That sounds to me like a windows problem and not a keepass problem.

All passwords are going to be used to authenticate to something. If you can only get at the plaintext key after it is handed off to that something, it does seem like a huge stretch to blame the password manager for it.

Or put another way, if yo

Re:

[AmiMoJo]

For most people the threat model they should be concerned with is password reuse and weak passwords. A password manager, even a flawed one, can fix both of those.

The convenience vs. security trade-off of not having to keep unlocking the password manager is worth it for most people, because the alternative is realistically going to be using "passw0rd" for everything. In fact I recommend people have their browser remember their passwords.

Re:

[Smidge204]

While true, that also means that it would have to wait until you actually copy/type the password in order to steal it, and there is still the task of identifying the password out of all the other data you copy or words you type through out the day.

Or, since you have access to the RAM, just snag it from the password manager whenever the process appears. Then you get all the passwords at once, along with usernames or other important info, and you don't have to sift through junk data to find them.
=Smidge=

Not sure

[Artem S. Tashkinov]

If I understand these two "vulnerabilities" properly, they require a piece of software installed/running locally which will steal/grab these passwords from RAM. However no normal/legitimate software will ever steal your passwords or access the RAM regions of other applications, which means this software is in essence malware which means you're already completely fucked and this software may just steal your master passwords, retreive all files, etc. etc. etc.

Re:

[mentil]

This could be relevant to memory-access attacks, like escaping from VMs, Docker containers etc.
It seems unlikely a server would be running a password manager app though.

Re:

[Zocalo]

It seems unlikely a server would be running a password manager app though.

No, but it's much more likely that a compromised PC with a password manager installed might be used to remotely log into that server and provide the attacker with a means to obtain the server's password. This provides another avenue of attack to obtain a server password, albeit perhaps not the easiest one to get the same results, but the more attack vectors there are the more likely it is that one will succeed, and it only takes on

Re:

[Sique]

It's not unlikely. Actually, it's quite often used.

Imagine an IT shop working remotely on diverse customer sites. There are dozens of technicians, and literally hundreds of passwords. One way to manage the password hell would be to assign a password safe to each customer, installed at the customer site on the server you use as central remote access. So your technician tasked with a job there would look up the password safe master key for that customer, and then remotely access the server there, to find th

Re:

[Zocalo]

There are varying degrees of "completely fucked", but yes, if you are being successfully attacked using this method then you are already in a pretty bad place, although it's possible that a lucky attacker might obtain enough info to pivot the attack onto an entirely separate system you happen to have a password for. Going from one PC being compromised to your entire network being compromised is definitely a step up in the level of "completely fucked".

Of course, if the malware has already been able to in

Re:

[Kokuyo]

I'd even go as far as to say that a relatively sophisticated keylogger is probably much easier to code and just as effective.

Re:

[drinkypoo]

This is why meltdown is important. There have historically been lots of ways to sneak code onto users' computers. We like to think protected memory will, uh, protect us. But since it won't, these things are important.

Rendering passwords without using the system font libraries (or GUI text widgets) solves the problem of being able to grab the data from the OS. There have long been password deobfuscation tools, my favorite used to be snadboy's revelation but I don't think that works any more. Helped me a lot

Use The Best Password

[mentil]

That's why I always use a yuge password: 1234abcd. It's a very good password. The best password, really.

Re:Use The Best Password

[kbg]

That's amazing! I've got the same combination on my luggage!

Re:

[93 Escort Wagon]

You should switch it to something like “hunter2”.

Re:

[complete loony]

Summer2017 [youtu.be] was a good time for password cracking.

Re:

[Opportunist]

As long as the computer is off, it's also pretty secure in Lastpass and Keepass.

that's why I keep my passwords!

[danbuter]

That's why I keep my passwords on a sticky note on my monitor! Never trust the cloud!

Re:

[bobbutts]

The user is usually copying and pasting in the case of using a password manager, so the keyboard buffer will not have what you are looking for.

But we are still safe on

[AHuxley]

Apple? Thats all good right? And Linux? All good?

ugh

[fluffernutter]

Independent Security Evaluators (ISE) published an assessment on Tuesday with the results of testing with several popular password managers.

I have to snicker that anyone would fail so spectacularly. They realized just now that memory has to hold field data at some point?

Still using pwsafe

[godrik]

Bruce Schneier, thank you for the fish!

I tried keepass once... for about 30 minutes...

[gosand]

I finally decided to try it a couple of years ago. I got it all set up with about a dozen passwords.
The next time I opened it, they were all gone. No trace. I uninstalled it and went back to memorizing my passwords.

I find those tools as a single point of failure. I have a password scheme that I use, and keep a list of plain-text reminders for each site. The reminder is so vague that nobody could figure out the password, but I instantly know which scheme I use.

I still remember a password that a departin

Re:

[b0bby]

I have a couple of schemes which I use for a lot of my passwords, but there are enough unique ones that I find Keepass extremely useful. Not to mention that I keep note of a bunch of other data and my kids' passwords there too. Also my wife could use it if she needed to if I get hit by a bus.

I've helped a bunch of people set up Keepass, and I have never seen the data disappear. But if you don't need it, your way is probably better!

Confusion in the comments

[FeelGood314]

There are two types of attacks against systems like this.
1 where the attacker modifies the system, hopes the victim doesn't notice and then steals information when the victim next uses the system
2 where the attacker steals the system and then tries to extract information

These attacks are against the latter, where I steal your laptop and then try and extract your passwords from the running machine. If your password manager is open and unlocked, then I can trivially get your passwords, but if the manager

Use pass

[allo]

The standard unix password manager is in many aspects more secure than the bloated ones: https://www.passwordstore.org/ [passwordstore.org]

- It is minimal. It is a short bash script, that you can read completely before using it.
- It uses standard tools like gpg for storage and pwgen for password generation
-It has a simple command line with some uncomplicated graphical frontends
- It does not leave anything in memory, as it terminates when it finished copying the password to your clipboard or writing it to the console (or in the