Security researchers have recently found flaws in several popular password managers that can allow attackers with access to a computer to retrieve passwords from its memory. While the vulnerabilities are real, protecting secrets in memory is an ongoing issue for the software industry, and experts have pointed out that there are much easier ways to steal passwords.
The report that stirred up some controversy in the security community was released last week by Independent Security Evaluators (ISE), a security consultancy with a good track record of finding software vulnerabilities. The company tested the desktop versions of LastPass, Dashlane, 1Password version 4, 1Password version 7 and KeePass. ISE investigated the security guarantees provided by the applications while they were in three states: not running with password vault locked, running with password vault unlocked and running but with password vault locked.
Why hackers can find passwords in memory
Password managers encrypt the password database with a key derived from the user's master password. When a user types a master password, the key is loaded in the program's memory and the vault is unlocked. Some or all individual passwords stored in the vault might also temporarily be copied in the program's memory as they're being used.
ISE looked at how well the applications scrubbed these secrets from memory and found that some left "residual buffers" behind. These buffers could allow recovery of the master password or individual user passwords while the applications were still running but were supposed to have their password vaults in a locked state -- the users intentionally locked them or logged out.
However, all the tested applications sufficiently secured their password database when they weren't running, meaning that if those databases were to be stolen from disk and a strong master password was used, it would be computationally very hard for an attacker to crack that password using brute-force techniques.
The only concern is memory scraping attacks, where malware or an attacker searches the contents of the RAM memory for secrets. The problem is that to pull off such an attack, a hacker would already need to have access to the local computer.
"The master password isn't the goal; it's just a stepping stone to the goal," said Jake Williams, principal consultant at Rendition Infosec, via email. "The real goal is the passwords for the accounts that are protected by the password manager. Form grabbing, where the user injects into the browser, would be one way to steal the account passwords. Keylogging is another obvious method for getting these passwords (or even the master password itself)."
Even the ISE researchers have mentioned in their report that "no matter how closely a password manager may adhere to our proposed ‘security guarantees’, victims of keylogging or clipboard sniffing malware/methods have no protection."
Experts say keep using password managers despite vulnerability
The presence of this vulnerability, which can only be mitigated to some extent, doesn't make password managers any less useful and needed, especially since a very large number of account compromises are the result of people using weak passwords or reusing the same password for multiple accounts.
One of the best ways for users to protect their online data is to have unique passwords for each of their online accounts. The only reasonable way to keep track of a large number of long and complex passwords is with a password management application.
According to Williams, advising people to stop using password managers because of memory scraping risks is akin to advising people not to use seat belts when driving because on very rare occasions they can trap people in the car during an accident. "The analogy is actually a little worse than that though," Williams says. "On the seat belt side of the analogy, I have examples I can point to where they actually have caused harm. I can't cite a single case where password managers were compromised through memory scraping."
However, memory scraping malware does exist and has been used in the past, for example, to steal credit card information from compromised point-of-sale systems. A high-profile case where such techniques were employed was the 2013 data breach at Target that resulted in the compromise of 41 million payment cards.
Such malware could easily be extended to steal any data from memory, including passwords, as long as attackers know where to look for the information. It doesn't change the fact that if an attacker can run malware on the system, they can also run a keylogger and get the passwords that way, which is much easier and doesn't require any specialised knowledge.
The issue of protecting secrets in the memory of running programs has been a difficult problem to solve for years. That's why some devices have dedicated cryptographic chips that run in parallel or together with the main CPU and are used to store encryption keys or to perform sensitive operations that involve those keys.
Examples of such technologies are the Trusted Platform Module (TPM) chips in business laptops, the Intel Software Guard Extensions (Intel SGX) present in modern Intel CPUs, the ARM TrustZone in ARM CPUs, the Secure Enclave present in iOS devices or the Qualcomm Secure Execution Environment (QSEE) from Qualcomm chips. Not even these modern technologies are free of flaws.
"We've seen numerous reports of technology manufacturers of smartphones and other devices having problems with their secure enclaves," says Gavin Millard, vice president of intelligence at security firm Tenable. "If organisations are so concerned, then they shouldn’t be relying on a single key. Instead they should use two- or even three-factor authentication – the combination of something you know (the password) with something you have (a one-time passcode) and something you are (fingerprint, iris/face scan etc.). If the password manager is breached, there is a second element to overcome."
Password manager vendors respond to vulnerability report
Like Williams, Millard believes the benefits of using password managers far outweigh any potential risks of password theft through memory scraping and that those risks can be mitigated in other ways. For example, multi-factor authentication does not prevent the actual theft of passwords, but having it enabled for accounts prevents attackers from actually abusing any stolen passwords. Many online services already have support for two-factor authentication and companies are increasingly adding it to their internal applications as well.
Sandor Palfy, CTO of LastPass, tells CSO that this vulnerability only affects LastPass for Applications, the company's legacy application for Windows. LastPass learned about the vulnerability though its bug bounty program and made changes to address it. The application will now shut down and clear all memory when users log out, he says.
"The scenario being discussed is that of an attacker who would have taken total control of a user’s device," said Emmanuel Schalit, CEO of Dashlane, via email. "...it is generally well known in the world of cyber-security that the above scenario is an extreme one, in the sense that no mechanism can protect the digital information on a device if that device is already entirely compromised."
Schalit says that Dashlane has covered this scenario in its security white paper, which is available on the company's website, and noted that using this argument to advise against the use of a password manager is "dangerous logic. Saying that you should never use a solution unless it is virtually impossible to compromise leads to essentially rejecting any security software because, in the above scenario, they can all be compromised," he says.
“This is a well-known issue that’s been publicly discussed many times before, but any plausible cure may be worse than the disease," says Jeffrey Goldberg, chief defender against the dark arts at 1Password. "Fixing this particular problem introduces new, greater security risks, and so we have chosen to stick with the security afforded by high-level memory management, even if it means that we cannot clear memory instantly. Long term, we may not need to make such a trade off. But given the tools and technologies at our disposal, we have had to make a decision as to how best to keep our users secure. I stand by our decision."
More generally, one of the biggest problems facing information security is the false ideal of eliminating risk, according to Jayson Street, a well-known hacker and security author who is currently vice president of InfoSec at SphereNY. "We are not in the business of eliminating risk," Street tells CSO. "Our job is to mitigate as much risk as we can and then offset what we can't mitigate and accept what we can't offset. It's an ongoing continuous process not an absolute solution."
"Do password managers need to be updated and fixed? Yes, because not using one will put most users at greater risk," Street says. "We need to get users to not instantly react but to understand the risk and make informed decisions which is one of the main functions and responsibilities of information security."