Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Thursday February 21 2019, @09:48AM   Printer-friendly
from the *********** dept.

A security consulting firm released a report on the safety of password managers. A non-geek, summarized version is also available at the Washington Post. (Summarized graphic of results.)

The password managers included in the study were 1Password 4, 1Password 7, Dashlane, KeePass, LastPass. Unfortunately, the testing was limited to Win10 even if the password managers were available on other platforms. They all had some flaws, but as reported, you should still use one. They were all tested for encryption method on the database, accessibility of the master password and keys in memory while unlocked, and the master password and keys in memory while locked.

All were evaluated to have adequate encryption on the file. 1Password 4 (which actually had better memory security than 1Password 7,) was best at keeping individual passwords safe in memory; while KeePass was best at keeping the Master Password safe in the memory tests (although Dashlane did the same while it while in a locked state.)


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by The Shire on Thursday February 21 2019, @11:45AM (4 children)

    by The Shire (5824) on Thursday February 21 2019, @11:45AM (#804464)

    I disagree. This isn't a matter of having arbitrary code execution. The article notes that in several cases, dereferenced memory still contains the clear text passwords which can, in theory, be retrieved by a malicious service running in low privilege userspace. And certainly in the case they referenced where a system crash resulted in a memory dump to disk that contained clear text passwords, this information can be retrieved much later, say by someone working in administration or someone who is servicing the machine.

    There's really no good excuse I can think of where a locked password manager would allow passwords, obfuscated or not, to remain in memory.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Disagree) by driverless on Thursday February 21 2019, @12:07PM (3 children)

    by driverless (4770) on Thursday February 21 2019, @12:07PM (#804465)

    The former won't work because Windows zeroes pages after use [microsoft.com]. The latter is a non-vuln because to read the pagefile contents you need to be admin, at which point you can just install a keylogger or whatever else you feel like.

    I realise that what some of the password managers are doing isn't really good hygiene, but it also isn't the major vuln that the article makes it out to be.

    • (Score: 3, Informative) by The Shire on Thursday February 21 2019, @03:59PM

      by The Shire (5824) on Thursday February 21 2019, @03:59PM (#804545)

      Zeroing out the pages occurs later and clearly the analysts were able to extract the passwords from memory no longer associated with the process so there is sufficient time between the pointer release and the OS level purge. In at least once case, the password manager did not clear the password data from it's allocation before doing a free which results in available memory that still contains sensitive data - this is a flaw they should be able to easily correct.

      As for the pagefile - in the event of a BSOD, a snap dump is made of the current memory state which includes this password data and is saved to either \windows\minidump or \windows\memory.dmp. These file can be accessed either later on or even from a system backup and the passwords extracted. Access to the pagefile itself is not needed.

      There are security vectors being exposed here that we shouldn't just dismiss, and improvements to the existing password managers can be made to further mitigate them.

    • (Score: 3, Informative) by ElizabethGreene on Thursday February 21 2019, @04:53PM (1 child)

      by ElizabethGreene (6748) Subscriber Badge on Thursday February 21 2019, @04:53PM (#804572) Journal

      The former won't work because Windows zeroes pages after use [microsoft.com].

      If you read TFTA, they call that out specifically and the thing you say won't work absolutely did. They were able to retrieve cleartext credentials and the master key from a crash dump or a locked running process that the Windows memory manager hadn't cleaned up yet.

      • (Score: 2) by driverless on Thursday February 21 2019, @11:04PM

        by driverless (4770) on Thursday February 21 2019, @11:04PM (#804766)

        Now we're just going round in circles, and you haven't read what I originally wrote. To bypass the Windows protection mechanisms, you need to either be Administrator or be running as the user with equivalent admin-level privs (SE_BACKUP, SE_DEBUG, etc). If the attacker is already Administrator on the machine or has similar privs that allow them to do whatever they want to the user then the presence or absence of a password manager is irrelevant, the user is screwed.