Major Security Issue Leaves Your Managed Passwords Vulnerable

June 25, 2019

It’s likely you have a few passwords that you need to remember. Most security professionals recommend that you do just that: Remember them. However, realistically, it’s more likely that you have some sort of system to help you keep track of all of them. It might be clues to trigger your memory, it might be writing them in a notebook that you keep separate from your computer and hidden away, or it might be using a password manager. If you are using the last one, a new report may make you nervous.

The report by the Independent Security Evaluators (ISE) found that some of these password management products actually store the master password in the computer’s memory…in plain text. That means that in order for someone to get to all of your passwords kept in the password manager, someone just needs to peruse your computer and find that master password.

Before you go into a panic, it’s still better to store your passwords in one of these products than to have sticky notes plastered all over your desk and computer monitor. They are also far better than using the same password for multiple websites. And they will certainly help you create strong passwords and unique ones for each site, which is highly recommended. It’s just good to know the risks. The companies in question actually have acknowledged this issue and recommend that you shut down the product when not using it and don’t let it run in the background.

The ones that have this issue include 1Password, Dashlane, KeePass, and LastPass on Windows 10. There may be others, but ISE tested these in particular. LastPass actually did release a fix when it was alerted to the issue. It changed the function of the “Lock” button.

Until or unless patches are released for these products, don’t leave the password manager app running, in the background or even if it’s “locked.” Close it down completely. In addition, because phishing is so popular for attackers to try to get to your devices, be aware of phishing email messages and texts. If you don’t know the sender or receive something unexpected asking you to click, just don’t.

Be sure to keep anti-virus products installed and updated on your devices too. They won’t catch everything, but they are a great first line of defense to keep your products and your identity safe.

Stickley on Security
Published June 23, 2019