Turns out the applications that you use to keep your passwords safe aren’t so safe after all. A new study has uncovered security flaws in five of the most popular password managers in the market.
The research shines a light on new ways to enhance the safety of the password managers, stating that security is not about being unhackable – it is about not being the ‘lowest hanging fruit’.
Essentially, password managers act as online safe-deposit boxes for your passwords. Using a program to keep track of your passwords not only makes logging in easier, but also prevents users from making the most common mistake – re-using passwords. Re-using passwords poses a direct threat since hackers are well aware of the fact that this is a common practice. So, they take a password from a hacked site and use it on other sites to access confidential data and information.
So exactly how can you ensure your password managers are actually safe?
One important task is to conduct audits like the new one by ISE. The study found that the Windows 10 apps for 1Password, Dashlane, KeePass, LastPass, and RoboForm left some passwords exposed in the computer’s memory when the apps were in “locked” mode. To a hacker with access to the PC, passwords that should have been hidden were no more secure than a text file on your computer desktop. 1Password, LastPass and Roboform even exposed master passwords, which are used to unlock all the other passwords.
While the research was conducted only on Windows Apps, researchers said Apple Macs and iOS devices could be affected by this flaw too.
“The ‘lock’ button on password managers is broken — some more severely than others,” said lead researcher Adrian Bednarek.
“Password companies have some of the highest standards of security, and folks should be able to sleep pretty well at night knowing that these companies are taking concerns seriously. Vulnerabilities aren’t mysterious — they’re a product of the fact that people aren’t perfect — and finding them is a good thing,” said Casey Ellis, the Founder of Bugcrowd, a site for researchers to report vulnerabilities.
So should you completely stop using password managers? Absolutely not.
Yes, there is a bug in the managers. But that does not mean this cannot be fixed. In the cybersecurity world, there is no such thing as “safe”, “unsafe” or “completely safe”. To be completely safe would require disconnect from the internet altogether. Therefore, you must always try to find a solution that is “better than” or safer than” others.