How serious are recently discovered password manager security flaws?

The strongest online passwords are complex and random, made up of a combination of non-consecutive upper and lowercase letters, numbers, and symbols. For the utmost security, experts also recommend that you create a new password for each of your online accounts rather than reusing the same one across the internet.

Of course, when you have to come up with dozens of different, elaborate passwords, it can be very difficult to remember them all. That’s where password managers come in. Storing all your passwords so you don’t have to memorize them, password managers make it easier and more convenient than ever to use keep your online accounts secure.

But whether it’s safe to put all your passwords in one basket is a question that’s been on users’ minds for as long as password managers have existed. Since these applications contain the keys to all your important accounts, it goes without saying that they need impeccable security to prevent hackers from gaining access.

That’s why the recent discovery of password managers security flaws has users so alarmed.

The problem: password managers expose master passwords

On February 19th 2019, Independent Security Evaluators (ISE) published a report which uncovered fundamental flaws in all the password managers they tested: Lastpass, 1Password, Dashlane, and KeePass.

With a combined user base of 60 million accounts (of which almost 100,000 belong to businesses), these popular managers were assumed to be a safe and secure bet by users. However, each one was found to suffer from the same vulnerability: exposing the master password.

As you likely already know, the master password is the key to any password manager – literally, since it’s what unlocks the software so you can retrieve the other passwords within. As a result, it’s crucial that no one knows the master password except you.

However, the ISE report found that even when these password managers were locked, the master password remained in the Windows 10 computer’s memory in an unencrypted, plain text format that anyone could read.

Understandably, this password managers security flaw sounds like a very serious one at face value. But how much of a concern is it really? Read on to find out the risks involved, whether you should stop using your password manager, and how to proceed from here.

How serious is the security risk?

Since it’s so crucial for a master password to be kept secret, this security vulnerability may seem very worrisome. However, the truth is that even with the master password stored in plain text in your computer’s memory, you’re still at a very low risk of having it stolen. To understand why, you need to understand how difficult it would be for a hacker to access and use the password.

To retrieve a stored master password, a fraudster would need access to your RAM. There are only two ways they could do this: by stealing your computer physically, or by gaining remote access to it. As a result, if you take precautions to keep your computer away from thieves and malware that could control it, cybercriminals won’t be able to get into your memory.

On top of that, even if a hacker did install malware on your computer, the best password managers wouldn’t give them automatic access.

Usually, when signing into a password manager on a new device, the app will initiate a two-factor authentication process which requires a one-time passcode sent to your phone. As a result, the hacker would also need to steal your phone or set up a SIM hijacking attack, both of which would be very difficult.

So, you can see why the risk of having your password library exposed is very slim. Of course, it’s not completely impossible. A very determined criminal could still get their hands on your passwords with enough effort, which raises the question: is it better to stop using your password manager altogether?

Should you stop using a password manager?

In short: no, you shouldn’t stop using your password manager.

When finding out that any application or website has a major security flaw, instincts usually say you should stop using it. However, it’s not necessary to stop using your password manager just because of this vulnerability. Password managers still come highly recommended by top cybersecurity experts. In fact, even the ISE themselves (the researchers behind the report) say you should still use the software they tested.

Password managers are still a very useful security tool because they’re often the only way you can use a strong, unique password on all of your accounts. Each of the tested password managers are also loaded with additional features to protect you.

LastPass, for example, has a strong password generator and an automatic password change function.

Multiplatform Dashlane features a dark scan web function and even captures online shopping receipts.

1Password boasts top tier security features as well as good 24/7 forum support if you need help.

Finally, KeePass is free and can import saved passwords from multiple different sources. This security flaw is just one con in a sea of pros.

To put it into perspective, taking cyber security precautions is like wearing a helmet when riding a bike. If you get into an accident, a helmet won’t protect your from scraping your arms or breaking your legs. In a particularly serious accident with a heavy-duty vehicle, it may not even protect you from a head injury. However, a helmet keeps your head safe in most circumstances, so it’s better to wear it than to not.

In the same way, you should still use a password manager even though it can’t protect you from the most heavy-duty cyberattack, because the alternatives (reusing passwords, for example) put you at even greater risk.

Ultimately, the aim with any cyber security precaution isn’t to make you unhackable – that’s an impossibility as long as you use technology. Instead, the aim is to reduce your risk as much as possible and make it very hard for hackers to reach you.

How to reduce your risk even more

Thankfully, even though using one of these password manager comes with a risk, there are several ways to reduce it. Here are some of the best precautions you can take to greatly minimize the chances of having your passwords stolen from your password manager.

1. Terminate the password manager

As outlined in the ISE report, the risk of using password managers is that the master password remains in your computer’s memory while the software is locked but still running. As a result, terminating the application completely should remove the password from your RAM so no one can access it.

Sometimes, clicking the ‘X’ button on a password manager simply minimizes it to your system tray. Instead, you may need to click File and then Exit, or terminate the process directly from the Task Manager to be certain.

2. Update the app regularly

Like all good security software, password managers are frequently updated with new patches that fix flaws and reduce risks. Ensure you update your password manager every time a new update is released. If possible, you should set updates to “automatic” so you never forget.

For reference, the software versions tested in the ISE report were:

• LastPass version 4.1.59
• 1Password4 version 4.6.2.626
• 1Password7 version 7.2.572
• Dashlane version 6.1843.0
• KeePass version 2.40

However, bear in mind that new security patches may not be able to fix this specific flaw, since it’s rooted in how memory storage functions in Windows 10.

1Password told ZDNet that “any plausible cure may be worse than the disease.”

3. Use a smartphone app

Since this memory leak problem is specific to Windows 10, you may prefer to use your password manager on your smartphone or tablet. While phone apps may become vulnerable in the future, this flaw can only be exploited by a RAM attack on a computer.

4. Combine with an authenticator app

As mentioned earlier, linking your password manager account to a two-factor authenticator like Authy or Google Authenticator can prevent hackers from using your master password even if they find it. Ideally, you should use the two-factor authentication method with all your online accounts too.

5. Practice good malware prevention

Since the most common way for a hacker to gain access to a computer’s memory is through malware, practicing good malware prevention habits will go a long way in protecting you. Make sure you use a reputable, up-to-date malware scanner like Malwarebytes, and remember to never download or open any files you can’t trust.

6. Don’t store extremely valuable passwords

Some passwords are more valuable than others. For example, having the password for your Netflix account stolen is far less of a worry than having your PayPal or Bitcoin passwords stolen. So, instead of keeping high value passwords in your password manager, it’s better to work on committing them to memory if you can’t. After all, no one can hack your mind – at least not yet.

Bottom line

In short: yes, password managers have been found to be vulnerable to high-level attacks, but no, you should not stop using them.

As long as you practice good cybersecurity precautions and internet hygiene, password managers are still the best way to keep your online accounts safe – flaws or no flaws.