Password Manager Vulnerabilities Exposed

[cageymaru]

A report from Independent Security Evaluators (ISE) showed that password manager security is acceptable in non-running states, but are vulnerable to memory attacks when in running states. Products from 1Password4, 1Password7, Dashlane, KeePass, and LastPass were tested in the report. For example, 1Password4 properly scrubbed old password entries from memory when it loaded a new entry; this meant that only one password was exposed at a time. But the master password remained obfuscated in memory and a bug allowed the master password to be stored in memory in a cleartext form; even when locked. In another example, 1Password7 decrypted and loaded all the individual passwords in the running state and didn't scrub the individual passwords, master password or the secret key when transitioning from the unlocked to locked state!

Dashlane exhibited good security practices until the user changed an entry. Then it exposed the "entire database plaintext in memory and it remains there even after Dashlane is logged out of or 'locked'." The entries remained in memory for more than 24 hours. KeePass was decent until a simple strings dump from the process memory of KeePass was performed. There it exposed all entries that had been interacted with. LastPass performed as well as KeePass. ISE concluded that while "it is evident that attempts are made to scrub and sensitive memory in all password managers. However, each password manager fails in implementing proper secrets sanitization for various reasons."

The password manager vendors responded to the report from ISE. LastPass says it patched its issues and KeePass noted that the basic underpinnings of Windows affected its ability to scrub the password entries as "Windows and .NET may make copies of the data (in the process memory) that cannot be erased by KeePass." Dashlane noted that "if an attacker has full control of a device at the lowest operating systems level, they can read any and every information on the device." 1Password's spokesperson took the same stance with "An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer."

In this paper we will examine the inner workings as they relate to secrets retrieval and storage of 1Password, Dashlane, KeePass and LastPass on the Windows 10 platform (Version 1803 Build 17134.345) using an Intel i7-7700HQ processor. We examine susceptibility of a password manager to secrets exfiltration via examination of the password database on disk; memory forensics; and finally, keylogging, clipboard monitoring, and binary modification. Each password manager is examined in its default configuration after install with no advanced configuration steps performed. This paper is not meant to criticize specific password manager implementations; however, it is to establish a reasonable minimum baseline which all password managers should comply with.

 

[Derangel]

So Lastpass claims they patched it (and I'd love to see that claim put to the test) and everyone else responded with excuses. The "if someone has physical access to your device you're already boned" stance is true but it reads like the companies just trying to pass the buck and make excuses.

 

[cageymaru]

So Lastpass claims they patched it (and I'd love to see that claim put to the test) and everyone else responded with excuses. The "if someone has physical access to your device you're already boned" stance is true but it reads like the companies just trying to pass the buck and make excuses.

I was reading the report from the stance of a business with corporate secrets to protect. It surely doesn't look good for these companies to say, "well it was compromised anyway."

 

[cageymaru]

Also Derangel I really summarized the responses from the password manager vendors. Each had a LOT more to say, but you saw how long the post was already. So I had to leave 99.9% of it out.

 

[Nobu]

Is this the website version or extension? Or did they test both? Can't read the article atm.

 

[mord]

Not defending these applications, but there is truth to the point that you can't completely securely 100% pass data from one app to another inside a compromised digital computer if the attacker can run any code/instructions at any level. Maybe with coordinated single pad encryption, but that's a whole different level of integration.

That said, you can minimize the attack vectors. Which is what these applications need to do.

 

[pendragon1]

requires physical access

 

[seanreisk]

I think the bigger problem is too many accounts. Why do I need an account just to look at Pinterest? Why do I need an account just to browse Wayfair?

Even a modest internet citizen won't be able to remember all their passwords. If the second-best solution is to write all the passwords down and keep them in your wallet, these password lockers are still good.

 

[MMitch]

requires physical access

Physical access to bank ? unless the smiley meant "/s" ?
But yeah those are better than mine. N0n3.............. (number of . depends on how many character long you need )

 

[pendragon1]

as in someone needs to physically get ahold of my post it note and yes, half joking. I will write a password(temporarily use of other's) on a post it, then shred/burn it.

 

[NickJames]

as in someone needs to physically get ahold of my post it note and yes, half joking. I will write a password(temporarily use of other's) on a post it, then shred/burn it.

I use a cryptic form of remembering passwords. I'll leave myself a hint like Christmas Present Monitor then I remember oh the password is the model number of that monitor I got for Christmas or some shit like that.

 

[Methadras]

When will FIDO-Authentication capability become mainstream on PC's already? I simply don't understand the holdup. Users can avoid a lot of password/hacking/hijack issues with FIDO built into websites/OSes.

 

[RogueKitsune]

Just an FYI if you memory dump Chrome or IE ( or probably any browser on Windows) after entering a password on a website you are really likely to be able to see the password you entered in plain text.

On of the web applications I work on keeps on getting a security issue with that finding when it time to audit it, but there is nothing we can do about it.

As far as I know this is just a Windows thing as this issue does not appear when using MacOS.

 

[steakman1971]

I think the bigger problem is too many accounts. Why do I need an account just to look at Pinterest? Why do I need an account just to browse Wayfair?

Even a modest internet citizen won't be able to remember all their passwords. If the second-best solution is to write all the passwords down and keep them in your wallet, these password lockers are still good.

Yep - my password manager has about 300 accounts in it. I have my wife and a few kids in the manager, but this is absolutely insane we have this many accounts.
I've finally got my wife to stop using the same password (which was of the name+number variety, ex brittany1).
What a total mess.

 

[ZeqOBpf6]

I agree it's not an ideal situation but hardly a critical flaw. Still would be nice to see it fixed.

Re: too many accounts

I agree, and my DB has countless entries but what's a good alternative? Federated SSO? So Google or FB have access to every single other account you use? Don't give me that "they already do LOL" crap either.

Is there a third option? Applying for jobs it's BRUTAL
Every company needs you to make an account just to apply! Apply for 20 jobs/week... Zzzzz....

 

[MRAB54]

Just an FYI if you memory dump Chrome or IE ( or probably any browser on Windows) after entering a password on a website you are really likely to be able to see the password you entered in plain text.

Assuming that is true which I'll take your word for, then that is a separate problem with the browser. One that I'd say is a bigger issue than the password managers as you keep your browser open at length and visit other sites.

But then again, really doesn't matter when these apps scrub passwords from memory if some rogue process is able to access another processes memory you are screwed either way.

Two factor auth on your master password and any other sites that offer it are your best bet.

 

[Master_shake_]

the only way to get my passwords is a hammer to the head.

cause that's where they are stored.

 

[Zarathustra[H]]

Well, the problem here is that they all work by putting the password into the copy and paste buffer, which by its very nature is designed to be able to be read by absolutely anything on your computer.

I guess they try to clear it afterwards, but with Windows I guess the buffer can be cached elsewhere and they have no control over this.

In the end what they are saying is true. If your local machine is compromised to the point where an attacker can read memory, it is physically impossible to protect any data once opened. An unopened encrypted file is safe, but once you open it and unencrypt it, the unencrypted state has to be stored in memory, and that memory is vulnerable id your machine is compromised.

This is why we always patch the latest security patches immediately to both OS and programs and devices, cease using any OS or network based program or device that is too old to receive patches, never log on as an administrator (do everything in a basic user account and only provide administrator credentials when necessary) use firewalls, and antivirus and malware scanners, if not resident scanning in the background, at least periodically just in case.

Right? Right?

If you don't do all of the above, you shouldn't be on the internet.

 

[Nobu]

Well, the problem here is that they all work by putting the password into the copy and paste buffer, which by its very nature is designed to be able to be read by absolutely anything on your computer.

I guess they try to clear it afterwards, but with Windows I guess the buffer can be cached elsewhere and they have no control over this.

In the end what they are saying is true. If your local machine is compromised to the point where an attacker can read memory, it is physically impossible to protect any data once opened. An unopened encrypted file is safe, but once you open it and unencrypt it, the unencrypted state has to be stored in memory, and that memory is vulnerable id your machine is compromised.

This is why we always patch the latest security patches immediately to both OS and programs and devices, cease using any OS or network based program or device that is too old to receive patches, never log on as an administrator (do everything in a basic user account and only provide administrator credentials when necessary) use firewalls, and antivirus and malware scanners, if not resident scanning in the background, at least periodically just in case.

Right? Right?

If you don't do all of the above, you shouldn't be on the internet.

Hmm...maybe windows should have a secure copy method which keeps the clipboard encrypted and sandboxed to the process that used it? Or maybe a browser could implement this for extensions?

 

[M76]

I never trusted password managers, it's a single point of failure. Plus you'd need implicit trust in the developer of the password manager.

 

[Derangel]

I never trusted password managers, it's a single point of failure. Plus you'd need implicit trust in the developer of the password manager.

ALL password systems are a single point of failure. It is physically impossible for the human brain to keep track of long, random, strings of letters and numbers much less dozens, or hundreds, of them. So your options are password managers (probably the "best" way), tying passwords to a physical object, or creating "unique" password schemes that you base all of your passwords on. Either way, everything is a single point of failure.

 

[mord]

Hmm...maybe windows should have a secure copy method which keeps the clipboard encrypted and sandboxed to the process that used it? Or maybe a browser could implement this for extensions?

The problem is how does the app enter that password into another app? Has to be decrypted for that.

If the other app accepts the encrypted password... well then all you need to steal is the encrypted password.

 

[lollerwaffle]

It really is time for better encryption everywhere. Then again how many people have been compromised with key loggers, where no encryption will save your bacon?
But I digress. Encryption is good and should be more plentiful, and most of all, well-implemented. It does help.

Some of the challenges today are that things are built to work on multiple platforms. To that end, we're abstracting code more and have intermediate interpreters of that code. Layers and layers of interpretation, parsing, compiling. All the layers bring risk with them. If we start encrypting just about everything, we can reduce risk but we'll also suffer performance. Anyone paying attention to the recent side channel attacks knows that mitigation costs performance, massively so sometimes (I/O).

I do like that we have seen hardware encryption (CPU instructions) that accelerate some cryptography dramatically. That is a nice trend, it shows we're learning.

 

[Nobu]

The problem is how does the app enter that password into another app? Has to be decrypted for that.

If the other app accepts the encrypted password... well then all you need to steal is the encrypted password.

If it's in the browser, other apps don't need to know. If it's not...well there's really no solution for that. You could make it so that the encrypted password could be passed to other apps and decrypted by them, but then a user could be tricked into copying the password into an untrusted app. You could just view the password in plain text and manually type it in, but screen grabbers could pick it up. You could make the password fields invisible to screen-grabbers, but the plaintext password would be visible in memory anyway...

 

[mord]

If it's in the browser, other apps don't need to know. If it's not...well there's really no solution for that. You could make it so that the encrypted password could be passed to other apps and decrypted by them, but then a user could be tricked into copying the password into an untrusted app. You could just view the password in plain text and manually type it in, but screen grabbers could pick it up. You could make the password fields invisible to screen-grabbers, but the plaintext password would be visible in memory anyway...

yes. If a browser has to send the password to a website, then the browser has to decrypt its stored passwords to send to the web site. You can't trust the browsers own code for that if the computer is fully compromised.

As for sending a still encrypted password, if you can do that, then the attacker only needs to steal the encrypted password and send it themselves.

 

[Jagger100]

If my system is infected with a memory hacking tool of the highest permission level, why wouldn't it be infected with a keylogger?

 

[Zarathustra[H]]

Hmm...maybe windows should have a secure copy method which keeps the clipboard encrypted and sandboxed to the process that used it? Or maybe a browser could implement this for extensions?

But isn't the purpose of the clipboard to transfer data between processes though?

And if you use something else, and not the clipboard then you lose the universal ability to enter the password into any application, which limits the usability.

Microsoft and other OS:es could prova lyckan improve things by making it easier to clear quickly after use, and not caching the contents elsewhere, but in the end I don't think this is a completely solveable problem.

In the end, anything you open on a compromised local machine is vulnerable.

 

[SvenBent]

non of the "complaints" has to do with vulnerabileis by using password manages. but with other security issues.
They all requires you are runing bad software on your computer. in that case keyloggers would work easelier and better. that is not asecurty issue of the password manager but of your system.

just make sure to understan the attack vectore correctly when you ar reading things like this and dont go into a panic mode like ppl did with spectre and meltdown.
if a hack requires software running on your computer. You issue is in why is this software running on your computer to begin with.

 

[SvenBent]

I was reading the report from the stance of a business with corporate secrets to protect. It surely doesn't look good for these companies to say, "well it was compromised anyway."

Dont really care how things "sounds" that's an emotional bias.
They are absolutely technical correct that if you lost control of your system. nothing can prevent you from that. You security was lacing in other places for this situation to occur


its like complaining that peopel can open the door from the inside of you house is a security thread because you leave you windows open for ppl to crawl in.
It was the windows being open that was your issue. not the door able to open from the inside.


The botoom line is using a proper password manage is way safer than not using one.
and there is no added security issues from using a proper password manager
Don't get you emotional bios in the way for a proper technical conclusion.

 

[cageymaru]

Dont really care how things "sounds" that's an emotional bias.
They are absolutely technical correct that if you lost control of your system. nothing can prevent you from that. You security was lacing in other places for this situation to occur


its like complaining that peopel can open the door from the inside of you house is a security thread because you leave you windows open for ppl to crawl in.
It was the windows being open that was your issue. not the door able to open from the inside.


The botoom line is using a proper password manage is way safer than not using one.
and there is no added security issues from using a proper password manager
Don't get you emotional bios in the way for a proper technical conclusion.

I wasn't emotional. Say corporate espionage happens and they try injecting malware onto the system to steal the passwords from the password manager. Shouldn't they stay hidden and encrypted at all times? Or is it acceptable that they are cleartext? If a script kiddie steals your PC; it is acceptable that the thief can read your passwords stored in your password manager?

 

[RanceJustice]

It is important to note that all of the listed password managers are proprietary and "cloud based" except for one - KeePass, which is open source and requires connection (local or remote) to a specified password database file (extension .kdbx being the latest standard). It doesn't surprise me at all that KeePass has the fewest vulnerabilities (check their chart), but its worth mentioning that those they listed are far from universal. From what I've seen there has already been an update to KeePass 2.41 which addresses some of these issues , while users who are using KeePass 2.x on non-Windows OSes and/or using the Mono runtime even on Windows as opposed to .Net, have a lesser attack surface against what is described.

I would like to see KeePass developers continue to address these issues directly and implement workarounds to ensure even issues from Windows OS or .NET behavior can be remedied, but it seems like they're off to a good start. However, those concerned may want to take a look at KeePassXC , another open source KeePass database desktop client. Looking on their github issues page discussing this, apparently they too have a small attack surface, but there's only so much that can be done in the face of an attacker with current, local, root level access to that same machine which holds both the program and database file!. Using either version of KeePass on Linux for instance isn't vulnerable the same way, given privilege segregation and the way it is handled in a more granular fashion. I expect to see both KeePass and KeePassXC updated further in the future.

Its too bad they didn't check out BitWarden, though, instead of or in addition to KeePass. BitWarden is a "cloud based" password manager more like the others, but unlike them it is open source and able to be self hosted for those interested. I'd be curious to see how it stacks up to the big name proprietary cloud based ones.

 

[Nobu]

But isn't the purpose of the clipboard to transfer data between processes though?

And if you use something else, and not the clipboard then you lose the universal ability to enter the password into any application, which limits the usability.

Microsoft and other OS:es could prova lyckan improve things by making it easier to clear quickly after use, and not caching the contents elsewhere, but in the end I don't think this is a completely solveable problem.

In the end, anything you open on a compromised local machine is vulnerable.

Right, but you aren't always copying data between processes, and sometimes you definitely don't want other processes to know the contents of data you are copying. You could implement a secure copy function in each program which requires it, or make an OS function available. I would think either method would be acceptable, but for such a simple function, would it not be reasonable to implement it in the OS (maybe in a separate library that any program can link, if a service isn't required)?

 

[Zarathustra[H]]

Right, but you aren't always copying data between processes, and sometimes you definitely don't want other processes to know the contents of data you are copying. You could implement a secure copy function in each program which requires it, or make an OS function available. I would think either method would be acceptable, but for such a simple function, would it not be reasonable to implement it in the OS (maybe in a separate library that any program can link, if a service isn't required)?

That could probably work, but it would require every program you enter a password into to be designed for you specific password manager. Either that, or a new OS library for standard e3ncrypted password sharing such that there is some way to intentionally pass the key over to the recipient process.

I'm not holding my breath for this, but it would be nice.

 

[Zarathustra[H]]

Also, I think Lastpass is full of shit. No way they could just patch this. It requires fundamental OS/Program changes.

Unless they remove password sharing by clipboard, and only do it via their browser plugin, but then you cant use their password managers for non-webpages.

 

[BloodyIron]

All your juicy eggs in one basket

 

[Brian_B]

I hate passwords

 

[Biznatch]

Also, I think Lastpass is full of shit. No way they could just patch this. It requires fundamental OS/Program changes.

Unless they remove password sharing by clipboard, and only do it via their browser plugin, but then you cant use their password managers for non-webpages.

The clipboard is the least of your concerns. At most, that gives access to a single password. The real concern are the managers that are exposing the entire master key..... If someone gets that and your DB, they have ALL your passwords. The fact that only some of the managers are affected by that, shows it's not an OS issue, but an issue with implementation of the software.

I know keepass has a setting for how long it will keep a password copied before scrubbing. I've had it scrubbed before I was able to paste it into the field if I got distracted or something. I think default is 10 seconds, then it's gone.

It is nice seeing the OS keepass as one of the least vulnerable. Time to head over to their git repo again and see if there are any PR's or open issues for implementing that intel SGX sandboxing.

 

[SvenBent]

I wasn't emotional. Say corporate espionage happens and they try injecting malware onto the system to steal the passwords from the password manager. Shouldn't they stay hidden and encrypted at all times? Or is it acceptable that they are cleartext? If a script kiddie steals your PC; it is acceptable that the thief can read your passwords stored in your password manager?

Did you read the article?
The issue brought up has nothing to do with the things not being encrypted well enough
But fundamentally at some point the password needs to be in a shape the recipients can understand them aka unencrypted
That not something the password manager kan change that a fundamental law of exchanging a password the recipines need to be able to understand it.

So when that exchange happens the password is decrypted (like expected) and can then be read by software on your computer.
This is again not an added risk. its the same as keylogger and you would have the same issue using a password manager or not.

You can have something encrypted forever at some point you need to decrypt it to be able to understand it.anything else defies the laws of logic here
because if it was understandable before it got decrypted. it would not be encrypted at all.


So trying to use this articles as an argument that using password manager are bad or they are not secure. is based in a false understanding of the issues found
in a "cold state" the password manager was perfect able to resist attack on it it,. aka if somebody gets you data base
Quote from the article: All password managers we examined sufficiently secured user secrets while in a ‘not running’ state.

its only on warm states there is an issue and only if you have running bad software running on you system
compared to not using a proper password manager you would be in the same situations as bad software running on your system simply logs you keystrokes to get you password aka a keylogger


So again bottom line. there is no added security issues form using a proper password manager but tons of benefits to do so,
there is nothing in this articles that warrant a negative reaction against using a password manager


exactly the same situation for ordinary user and spectre. There was no added security risc from havine the spectre flaw.
The attack vector remains the same
But yet ppl make a big deal out of things they don't understand because it does not "sound" good



or to put it short:
if you got bad software on your computer, then that itself is your security issue.

 

[socK]

If something can dump memory on your box and get it off to a malicious party, you're already compromised.

 

[aaronspink]

I wasn't emotional. Say corporate espionage happens and they try injecting malware onto the system to steal the passwords from the password manager. Shouldn't they stay hidden and encrypted at all times? Or is it acceptable that they are cleartext? If a script kiddie steals your PC; it is acceptable that the thief can read your passwords stored in your password manager?

What you want simply isn't possible. If given direct memory access, you don't have any secrets left. And in the majority of cases they can only read the password when you actively decrypt the password to use it.