Are Password Managers as Safe as You Think They Are?

By
Services for Real Estate Pros with IDTheftSecurity.com Inc

You have probably heard of password managers, and you probably think they are pretty safe, right? Well, there is new research out there that may might make you think twice, especially if you use password managers like KeePass, 1Password, Lastpass, or Dashlane. Frankly, I’m not worried about it, but read on.

Specifically, this study looked at the instances of passwords leaking from a host compute or focused on if these password managers were accidently leaving passwords in the computer’s memory.

What was found was that all of the password managers that were looked at did a good job at keeping these passwords secure when in a state where it was “not running.” This means that a hacker would not be able to force the program into giving away the user’s passwords. However, it was also noted that though each password manager that was tested attempted to scrub these passwords from the memory of the computer, it wasn’t always successful…meaning, your passwords could still be in the memory.

Some of these programs, like 1Password, seemed to have left the master password, but also the secret key for the program. This could possibly allow a hacker to access the info in this program. But, it’s important to note that these programs are trying to remove this information, but due to various situational issues, it’s not always possible.

Another program, LastPass, was also examined, and it, too, caused some concern amongst researchers. Basically, the program scrambles the passwords when the user is typing them in, but they are decrypted into the computer’s memory. Additionally, even when the software is locked, the passwords are still sitting in the memory just waiting for someone to extract it.

KeePass, which is yet another password manager, was also looked at here. In this case, it removes the master password from the computer’s memory, and it is not able to be recovered. However, other credentials that were stored in KeePass were able to be accessed, which is also problematic.

Should you be worried about this? Well, it depends on your personal thought process. Some people probably won’t care too much, and others won’t be affected because they don’t use password managers that have these issues. Since the researchers pointed out these issues each password manager has done their own updates and corrected any issues. The real vulnerability isn’t the security of the password managers but the security of the devices, their users and if the users are deploying the same password across multiple accounts.  Using the same password over and over is the risk here. So get a password manager so you can have a different password everywhere.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

close

This entry hasn't been re-blogged:

Re-Blogged By Re-Blogged At
Topic:
ActiveRain Community
Tags:
password
password security
password manager
password attack
master password
password alert

Post a Comment
Spam prevention
Spam prevention
Show All Comments
Rainmaker
1,296,706
Carol Williams
Although I'm retired, I love sharing my knowledge and learning from other real estate industry professionals. - Wenatchee, WA
Retired Agent / Broker / Property Manager

Hi Robert,
I've always wondered about the security of Password Managers.  I figure anything online is vulnerable and have doubted password managers are any different.

Jun 13, 2019 10:24 AM #2
Rainmaker
1,873,900
Grant Schneider
Performance Development Strategies - Armonk, NY
Your Coach Helping You Create Successful Outcomes

Hi Robert - I have been wary of the ease of a password manager.  I don't want to forget the passward manager and lose all my individual passwords.

Jun 13, 2019 10:48 AM #3
Rainmaker
1,529,799
Sandy Padula and Norm Padula, JD, GRI
HomeSmart Realty West & Geneva Financial, Llc. - Carlsbad, CA
Presence, Persistence & Perseverance

As always, Robert Siciliano your content is appreciated and confirms my security protocol of only using a USB drive and not leaving it plugged into my computer unless absolutely necessary

Jun 13, 2019 11:55 AM #4
Rainmaker
3,020,089
Nina Hollander
Coldwell Banker Residential Brokerage - Charlotte, NC
Your Charlotte/Ballantyne/Waxhaw/Fort Mill Realtor

Hi Robert... well, this was certainly an eye-opener. It seems it gets more difficult by the day to stay ahead by even one step.

Jun 13, 2019 12:13 PM #5
Rainmaker
1,177,774
Sheri Sperry - MCNE®
Coldwell Banker Residential Brokerage - Sedona, AZ
(928) 274-7355 ~ YOUR Solutions REALTOR®

Hi Robert Siciliano - Thanks for the info. I think it is important to remain vigilante in this area. 

Jun 13, 2019 01:20 PM #6
Ambassador
3,235,910
Debe Maxwell, CRS
www.iCharlotteHomes.com | The Maxwell House Group | RE/MAX Executive | (704) 491-3310 - Charlotte, NC
Charlotte Homes for Sale - Charlotte Neighborhoods

I use LastPass and did not know about this vulnerability. I'll be more vigilant in the future to ensure I don't fall victim to a hack. Thanks Robert!

Jun 13, 2019 01:40 PM #7
Ambassador
3,809,305
Kathy Streib
Room Service Home Staging - Delray Beach, FL
Home Stager - Palm Beach County,FL -561-914-6224

Hi Robert- I hesitated using a Password Manager for years but finally after reading your blog, I decided to jump in. And I am very careful about my devices. 

Jun 13, 2019 07:32 PM #8
Rainmaker
3,214,993
Sally K. & David L. Hanson
EXP Realty 414-525-0563 - Brookfield, WI
WI Realtors - Luxury - Divorce

We are not trusting of most "security" claimed software.

Jun 14, 2019 05:58 AM #9
Ambassador
3,940,704
Jeff Dowler, CRS
Solutions Real Estate - Carlsbad, CA
The Southern California Relocation Dude

Robert:

Thanks for the 411 on password managers. I don't use them but was aware of some of this. I also heard they have all been hacked.

Jeff

Jun 15, 2019 02:20 PM #10
Rainmaker
1,417,460
Kat Palmiotti
Grand Lux Realty, Monroe NY, 914-419-0270, kat@thehousekat.com - Monroe, NY
The House Kat

I'm suspect of anything keeping passwords safe. Interesting information about these products.

Jun 16, 2019 03:04 AM #11
Rainer
366,931
Jerry Lucas
ABC Legal Docs LLC - Colorado Springs, CO
Mobile Notary Colorado Springs, CO Notary Training

Everyone should be using two-factor authentication (2FA) which requires a second factor to log in, such as a USB Yubi key or authenticator software, sending a one-time passcode (OTP) to your cell phone or email address to be entered quickly.

With 2FA, even if a hacker discovers your password, that is not sufficient to log in without also using the OTP.

Jun 17, 2019 06:51 PM #12
Rainmaker
502,727
Mary Hutchison, SRES, ABR
Better Homes and Gardens Real Estate-Kansas City Homes - Kansas City, MO
Experienced Agent in Kansas City Metro area

I don't use a password manager. It does sound tempting but ....don't want to risk it.

Jun 19, 2019 12:45 PM #13
Post a Comment
Spam prevention
Show All Comments

What's the reason you're reporting this blog entry?

Are you sure you want to report this blog entry as spam?

Rainmaker
849,543

Robert Siciliano

Realty Security and Identity Theft Expert Speaker
Ping me to book a program for your group
*
*
*
*
Spam prevention