A recent security review of several prominent password managers was released with, in my opinion, over-sensationalized findings. Some prominent password managers such as 1Password, Dashlane, KeePass, and LastPass expose unencrypted passwords in local memory after the password manager has been locked.
This doesn’t mean that just anyone had access to your passwords. They would have to get through all of your other security measures first. In short, it’s not an easy vulnerability to exploit. Another big caveat here: these tests were performed on the installed application rather than the browser extensions or add-ons. Most of us use the browser extensions exclusively.
To be fair, most encrypted data is expected to be stored in memory and unencrypted while in use. However, password managers are held to a higher standard. When a user locks the password manager, they expect everything to be secure. Because of this, several vendors stated that they already knew of the flaws and had a fix in the pipeline that should be out within the week. Some others stated that it was a known flaw with the operating system and they wouldn’t be offering a fix.
Some other things to consider…
- The news media are often looking for ways to make the headline catchy to get eyes on their article. They are also trying to simplify a very complex topic for everyday consumption.
- Password managers are still exponentially more secure than the alternatives. Don’t revert to writing all your passwords down or using the same password for every system again.
- Security is always a combination of multiple measures and controls working in concert. It’s never about any one thing. The more layers and walls you have in place, the less likely someone is going to get your sensitive information.
There are still plenty of protections in place between your passwords and a hacker even with this recently discovered flaw. Pay more attention to the response from your password manager vendor than the fact that the flaw exists. The vendor’s response tells much more about their commitment to security. All software has flaws and must be patched regularly. How accepting is the vendor that the flaw exists and is important and how quickly do they address the flaw? Those are the real questions here.
Contact us today for a free and confidential consultation.