Threatpost Poll: Are Password Managers Too Risky?

Weigh in on password managers with our Threatpost poll.

Do you use a password manager? Or do you think they pose too much of a risk, holding all the keys to the kingdom? Weigh in with our poll, below.

A little background: There have been vulnerabilities found before in this kind of software, which is meant to take the headache out of remembering multiple unique passwords by remembering them for you. Malware has also been found targeting it. The latest is word that a local adversary can crack open and steal passwords stored by the 1Password, Dashlane, KeePass and LastPass utilities.

Adrian Bednarek with Independent Security Evaluators (ISE) said that each of them “fails in implementing proper secrets sanitization for various reasons,” Bednarek wrote in his research report.

The firms have fiercely hit back on the assessment that this poses a serious risk, and indeed, even for ISE, this was far from a deal breaker. But at the same time, they also advocated that password-manager firms tighten up their application memory management.

How do you feel about password managers? Take our short poll and let us know. Also feel free to comment on this post with any meatier thoughts you may have.

 

 

Suggested articles

Discussion

  • HomePC on

    I don't use a password manager. I do use a password protected excel spreadsheet to hold my passwords. That way they are in my hands and not some 3rd party. I also keep a hard-coded printout in a safe place.
  • Paul Moore on

    You cannot make password managers safer using 2FA. If your password manager uses authentication over encryption, you have bigger issues. Several companies advertise 2FA support, but it's not technically possible. It's security theatre by the marketing department.
  • mark on

    @HomePC: but what you've described is just how password managers work - they don't share the passwords with third parties. And even if you don't trust Lastpass, with managers like Keepass, there is no third party. And the recent security risks exposed likely affect your hand-made method too: When you view your decrypted passwords in excel, can you view one at a time? Are the passwords scrubbed from memory after you've viewed them? If not, you're vulnerable in the same way.
  • vim_usr on

    You should consider keepassXC (of something similar) as you're in control of your encrypted database file, which is arguably safer than your password protected Excel spreadsheet, and still fully in your control.
  • D on

    If your device is compromised by someone backdoor then all info on your device not in safe place. Use 2fa when you can over totp for example authy, don't bee lazy, in bad end use 2fa over sms. I don't see point buying hardware tokens, money on air... I use keepass and I know about keefarce malware. This not bothering me because I not leaving keepass open longer 3 minutes. Store passwords in browsers this bad sa as use one password for all systems...
  • Rich on

    That's not entirely true. For password managers that store their vaults in the cloud, 2fa prevents phishing attacks from getting your vault, even if they get your master password. Otherwise I agree. If malware can keylog your master password, it can get the local cache of your vault.
  • Diogene on

    2FA is not a real solution because if some one get access to you local computer can simply get the pw manager data file. This is why encryption is much more important. Best solution is using a very long encryption key stored on a removable device that you keep phisicaly separate from pw manager data file most of the time.
  • Cyber Art on

    Keeper Security does not have this vulnerability.
  • Brekmister on

    The weakest point in security is the users. Hackers will always find a way around and users will fall for it because they won't know any better. If there are vulnerabilities in a piece of software and the user knows what they are doing then, ppfffttt yeah, whatever. Well, even then we are still human beings... The #1 key point to what I think can stop attacks is education for the users. Which frankly is too hard so we just keep patching things...
  • qf3l3k on

    All pass mgmt software has to review how they store master password and passwords database. In all cases master password should not be held in memory if not needed. Same time, passwords database should not be loaded fully into memory (like some pass mgmt software does) . Only single entry (which is used at the moment) should be in memory and once used, should be removed, so nothing can be scrapped from memory.
  • HomePC on

    Yes, that is true. All methods suffer from the "memory leakage" mentioned in the article. Memory scrubbers would be a good practice for all of us, or better yet, to incorporate into the OS when applications are closed. My point was that I trust the encrypted database (spreadsheet) to be in my hands, and not a 3rd party's hands. Those 3rd party's are a bigger target for attackers than my little laptop. Now, that may not be the case with all users. The follow-up article mentioned "dumb users". I trust myself not to get malware on my machine. Lately, I have adopted the practice of only using my encrypted spreadsheet on a Linux box on a Virtual Machine.
  • HomePC on

    Would like to add, that I was/am not aware of any password managers that ONLY run on a local machine. Those would be akin to an encrypted spreadsheet; although as a software offered from a 3rd party, they might be prone to malware attacks. Same could be said of spreadsheets, I guess. I don't use Excel as my spreadsheet application.
  • Anonymous on

    If you use a password protected spreadsheet... you use a sh!#%y password manager.

Leave A Reply to Rich Cancel Reply

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.