Password Manager Firms Blast Back at ‘Leaky Password’ Revelations

1Password, Dashlane, KeePass and LastPass each downplay what researchers say is a flaw in how the utilities manage memory.

Secure password firms 1Password, Dashlane, KeePass and LastPass are blasting a research report that highlights how a local adversary can crack open and steal passwords stored by the utilities.

The uproar began Tuesday when lead researcher, Adrian Bednarek with Independent Security Evaluators (ISE), published findings that demonstrated how someone could pluck clear text passwords associated with the utilities from the memory of Windows 10 systems.

“It is evident that attempts are made to scrub and sensitive memory in all password managers. However, each password manager fails in implementing proper secrets sanitization for various reasons,” Bednarek wrote in his research report.

The issue with the password managers (1Password, Dashlane, KeePass and LastPass) at the time of testing was that each of the utilities stored either the master password or individual credentials on insecure memory on the PC. This could allow a local adversary or a remote attacker, who compromised the system, to obtain passwords maintained by the utilities.

The one exception, researchers note, is when the password managers are not in use.

“All password managers we examined sufficiently secured user secrets while in a ‘not running’ state. That is, if a password database were to be extracted from disk and if a strong master password was used, then brute forcing of a password manager would be computationally prohibitive,” Team ISE explained.

For ISE, this was far from a deal breaker when it came to using the password management utilities. Instead, researchers encouraged people to use the password managers. But at the same time, they also advocated that password manager firms tighten up their application memory management.

“First and foremost, password managers are a good thing. All password managers we have examined add value to the security posture of secrets management,” researchers wrote.

The password manager firms, which are used by an estimated 60 million users and 93,000 businesses, each took issue with the study for different reasons.

Emmanuel Schalit, CEO of Dashlane, said the research was too narrowly focused on specific conditions that were “a very standard theoretical scenario in the world of security.” He continued; “This is not limited to Windows 10 but applies to any operating system and digital device connected to the internet.”

In a statement Schalit said:

“We respectfully disagree with the researcher’s claim that this can be truly fixed by Dashlane, or anyone for that matter. Once the operating system or device is compromised, an attacker will end up having access to anything on the device and there is no way to effectively prevent it. There are solutions that amount to ‘putting the information under the rug’ but any attacker sufficiently sophisticated enough to remotely take control of the user’s device would go around these solutions very easily.”

Sandor Palfy, CTO at LastPass explained in a public statement that the vulnerability highlighted by ISE was present in a “legacy” Windows Application that accounted for less than 0.2 percent of LastPass usage.

He said that the LastPass password manager has already received an update to “mitigate and minimize” risk, according to the company.

“To mitigate risk of compromise while LastPass for Applications is in a locked state, LastPass for Applications will now shut down the application when the user logs out, clearing the memory and not leaving anything behind,” Palfy said.

1Password’s Jeffrey Goldberg, who goes by the title Chief Defender Against the Dark Arts, said the secure memory management issue is well known and has been “publicly discussed many times before, but any plausible cure may be worse than the disease.”

Goldberg’s public statement continued:

“Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly.

Long term, we may not need to make such a tradeoff. But given the tools and technologies at our disposal, we have had to make a decision as to how best to keep our users secure. I stand by our decision.

The realistic threat from this issue is limited. An attacker who is in a position to exploit this information in memory is already in a very powerful position. No password manager (or anything else) can promise to run securely on a compromised computer.”

KeePass told security publication ZDNet that what ISE found was a “well-known and documented” limitation of “process memory protection.” In fact, that’s verbatim what the company said last September when ISE brought up the issue in KeePass’ bug reporting forum.

The company pointed to its own security guidelines:

“For some operations, KeePass must make sensitive data available unencryptedly in the process memory. For example, in order to show a password in the standard list view control provided by Windows, KeePass must supply the cell content (the password) as unencrypted string (unless hiding using asterisks is enabled),” according to KeePass.

Pushing for Fix

ISE’s Bednarek argues that data sanitization in the context of memory and clear text passwords is 100 percent possible.

“RoboForm does a good job of managing memory and sanitizing secrets, but had one issue where the master password was left on the stack during some function calls and never cleaned up,” Bednarek said. “They were the first to address this issue as they value having a locked password manager that does not give up secrets.”

He also pointed out while 1Password, Dashlane, KeePass appear to view memory management issues as an acceptable risk, LastPass did rush a patch out after being contacted by the members of the media.

“Fundamentally, the core issue is that the ‘lock button’ can give users a false sense of security and this may result in password managers running in the background which can be mined for secrets,” Bednarek said. “The easiest fix is to change the functionality of the lock button to simply terminate the process, letting the windows kernel zero out any unreferenced pages before re-issuing them to other applications that allocate memory.”

(This article was updated 2/20 at 4:20pm ET with a comment from Adrian Bednarek)

Interested in learning about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar on Feb. 27 at 2 p.m. ET.

Join Threatpost senior editor Tara Seals, Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout.

They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.

Suggested articles