SoylentNews is people
SoylentNews
A security consulting firm released a report on the safety of password managers. A non-geek, summarized version is also available at the Washington Post. (Summarized graphic of results.)
The password managers included in the study were 1Password 4, 1Password 7, Dashlane, KeePass, LastPass. Unfortunately, the testing was limited to Win10 even if the password managers were available on other platforms. They all had some flaws, but as reported, you should still use one. They were all tested for encryption method on the database, accessibility of the master password and keys in memory while unlocked, and the master password and keys in memory while locked.
All were evaluated to have adequate encryption on the file. 1Password 4 (which actually had better memory security than 1Password 7,) was best at keeping individual passwords safe in memory; while KeePass was best at keeping the Master Password safe in the memory tests (although Dashlane did the same while it while in a locked state.)
(Score: 4, Informative) by ElizabethGreene on Thursday February 21 2019, @04:50PM
It's hard to do right.
For a password manager the user would enter a key to unlock the database, and you'd keep that key in one buffer only, not passing it by value. That buffer would be mlock() (Linux) or VirtualLock() (Windows) to keep it from paging. When a user asks for a password you only decrypt that one password, not the whole list and use similar precautions. When the password manager is locked or goes idle you explicity overwrite your buffers with zeroes or before freeing the memory.
See also: Secure Programming Cookbook for C and C++ by Matt Messier, John Viega [amzn.to] (Amazon Link, but don't pay $80 for it. Get the $15 used copy or safari it.)