More than 60 million individuals and 93,000 businesses rely on password managers like Dashlane, KeePass, and LastPass to store their passwords and apply them when needed. A new report by Independent Security Evaluators (ISE) shows that these popular password managers may have serious security flaws, however, raising questions about whether they are safe to use.
According to the report, password managers are no more secure than saving a list of passwords in a text file, despite promises of encryption and safety. ISE CEO Stephen Bono reported that none of the password managers evaluated in the study lived up to advertised promises of security and that all were susceptible to collection of personal data by hackers.
“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” Bono said. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
The use of password managers with Windows 10 was studied to find out how password information was stored, even when use of the managers were blocked. In some cases, the master password that unlocks all the others was stored by the software in a plaintext readable format, which would be readily accessible to a hacker. It was also possible to get login credentials from the computer memory while the manager was locked.
Widely known memory forensic measures, which would be child’s play for a hacker, were used by ISE researchers to access master passwords when the software was locked and supposed to be inaccessible.
“People believe using password managers makes their data safer and more secure on their computer,” ISE Executive Partner Ted Harrington said. “Our research provides a public service to vendors of these widely-adopted products who must now mitigate against attacks based the discovered security issues, as well as alert consumers who have a false sense of security about their effectiveness.”
ISE recommends that users not leave a password manager running in the background while using their computers, even in the locked state, and that they stop or avoid using the managers featured in their report.
Cybersecurity training can equip you to keep your information more secure and to recognize threats to your personal information and the information of others, including businesses. PC AGE provides training for several cybersecurity certifications as well as the ethical hacker certification, which can help businesses discover and eliminate threats by thinking like a hacker. Request info about our programs and how you can even earn credits toward a degree.