Password Managers Have Flaws. You Should Still Use One, Though...

Recently a researcher working with the Independent Security Evaluators  (ISE) discovered flaws in several popular password managers that allow an attacker with local access to obtain the master password.  Read on for why this isn't a big deal and why you shouldn't throw your password manager away.

The study "Password Managers: Under the Hood of Secrets Management” that disclosed the vulnerabilities in 1Password, Dashlane, KeePass and LastPass was published on February 19th. In all cases, the desktop versions of the password managers were found to leak at least some data from memory when interacting with the password manager - from the master password to the password currently being interacted with.

As you can see from the ISE study these vulnerabilities require access to the target machine.  In the case of the cloud-based password managers tested, this is not targetting the services and cloud-storage of your passwords.  It is well understood in the security community that once an attacker has local access to a machine the machine is now the attackers to do as they wish.  For these attacks to work the attack would already need to control your machine OR to convince the target to install a piece of malware.  Once an attacker has this level of access, they could be watching you enter your master password and trapping all the keystrokes from your keyboard anyway, which is much more likely and easier to implement than these attacks.

Also of note, is the fact that these vulnerabilities require the target to be using the desktop version of the password manager (NB: KeePass only has a desktop installation option).  In my travels, I find this to be very uncommon.  Most people are using browser extensions or mobile apps.

With anything in security, you need to determine the risk.  Also, it is important to remember that there is no such thing as '100% safe', just 'safer' and 'less risky'.  In this case, it is not likely that you are using the desktop installation of the password management tool and the attack requires access to the target machine.  The likelihood of this risk coming about is low and requires access that is already detrimental to the target system and would cause all number of likely issues.   The risks of NOT using a password manager, however, is much higher.  The ability to create unique and complex passwords and not have to be required to remember them significantly benefits your security posture - to which despite the findings ISE stated that “First and foremost, password managers are a good thing. All password managers we have examined add value to the security posture of secrets management.”

If you are worried about this vulnerability then either use one of the managers that have patched this vulnerability or just uninstall and don't use the desktop version of the manager.