he most widely used password managers sport fundamental vulnerabilities that could allow malware to steal the master password or other passwords stored by the software directly from the computer’s memory, researchers with Independent Security Evaluators (ISE) have found.
They tested the 1Password, Dashlane, KeePass and LastPass password manager applications for Windows, which are collectively used by 60 million users and 93,000 businesses worldwide.
They reverse engineered each software package to evaluate its handling of secrets in its various states: not running, running and unlocked, running and locked.
“We expected and found that all password managers reviewed sufficiently protect the master password and individual passwords while they are not running,” they noted. “We expected and found that all password managers reviewed sufficiently protect the master password and individual passwords while they are notrunning.”
But they found that standard memory forensics can be used to extract the master password and other passwords/secrets these applications are supposed to guard when in the “running and locked” state.