20 February 19, 12:45
(This post was last modified: 20 February 19, 21:47 by silversurfer.)
Quote:The Independent Security Evaluators (ISE) conducted a security audit of 1Password, Dashlane, KeePass, and LastPass on Windows 10, and the results are worrying, to say the least.
All of them keep the master password in plaintext in the PC memory, which means a hacker with access to the computer could easily read it and then get access to all the data stored in the password manager.
The master password is the key that is being used by password managers to guard the application, and users are required to provide it whenever they want to unlock it.
Security researchers discovered that this master password remains in the memory of the device in plaintext as long as the password manager itself is in a locked state. This means the password manager has already been launched, unlocked, and then locked automatically for security reasons.
“Using a proprietary, reverse engineering, tool, ISE analysts were able to quickly evaluate the password managers’ handling of secrets in its locked state. ISE found that standard memory forensics can be used to extract the master password and the secrets it’s supposed to guard,” researchers explain.
SOURCE: https://news.softpedia.com/news/major-se...5028.shtml