Are password managers safe? MUST CREDIT: Clare Ramirez, The Washington Post
Are password managers safe? MUST CREDIT: Clare Ramirez, The Washington Post Credit: The Washington Post โ€” Clare Ramirez

A new study has identified security flaws in five of the most-popular password managers.

Now for some counterintuitive advice: I still think you should use a password manager. So do the ethical hackers with Independent Security Evaluators who came to me with news of the flaws โ€” and other security pros I spoke to about the study, published Tuesday. You wouldnโ€™t stop using a seat belt because it couldnโ€™t protect you from every kind of vehicle accident. The same applies to password managers.

But the research, which finds password manager users are vulnerable to targeted malware attacks, does shine a light on ways to bolster our defenses. And it speaks to a bigger truth that gets lost in headlines about breaches and bugs: Online safety isnโ€™t about being unhackable, itโ€™s about not being the lowest-hanging fruit.

Password managers are programs that keep all your login details in an online safe-deposit box. Theyโ€™re critical tools for staying safe because the No. 1 most annoying thing about the internet โ€” passwords โ€” leads people to make the No. 1 security mistake โ€” reusing passwords. Hackers know we do this, so they take passwords from one breached site and then try them on lots of others. Using a program to keep track of all your unique passwords takes some adjustment, but theyโ€™re getting simpler and can make logging into things faster.

The question thatโ€™s haunted these programs is: How is it possibly safe to put all your passwords in one basket? If someone steals it, youโ€™re hosed.

For accountabilityโ€™s sake, audits like the new one by ISE are important. It found the Windows 10 apps for 1Password, Dashlane, KeePass, LastPass and RoboForm left some passwords exposed in a computerโ€™s memory when the apps were in โ€œlockedโ€ mode. To a hacker with access to the PC, passwords that should have been hidden were no more secure than a text file on your computer desktop. (The researchers only studied Windows apps, but say it may affect Apple Macs and mobile operating systems, too.)

1Password, LastPass and Roboform even exposed master passwords, used to unlock all your other passwords. โ€œThe โ€˜lockโ€™ button on password managers is broken โ€” some more severely than others,โ€ said lead researcher Adrian Bednarek.

The companies had a range of responses. LastPass and RoboForm told me they would issue updates last week. Dashlane said it had documented the issue for some time and been working on fixes, but it has higher-priority security concerns. KeePass and 1Password shrugged it off as a known limitation with Windows and an accepted risk.

Casey Ellis, the founder of Bugcrowd, a site for researchers to report vulnerabilities, told me companies have to weigh the risk of each discovered bug and figure out what to prioritize. โ€œPassword companies have some of the highest standards of security, and folks should be able to sleep pretty well at night knowing that these companies are taking concerns seriously,โ€ he said. โ€œVulnerabilities arenโ€™t mysterious โ€” theyโ€™re a product of the fact that people arenโ€™t perfect โ€” and finding them is a good thing.โ€

Why isnโ€™t this a pants-on-fire issue? Because at the moment, weโ€™re ahead of the threat. Thereโ€™s no evidence hackers are targeting the PCs of individual password manager users. The question is: How long will that last?

Yes, there is risk in storing all your passwords in one place with a password manager. But itโ€™s helpful to look at the risk like a hacker: Thereโ€™s no โ€œsafeโ€ and โ€œunsafe.โ€ Thereโ€™s โ€œsafer than,โ€ or โ€œbetter than.โ€ Being 100 percent safe would require disconnecting from the Internet and moving to an undisclosed bunker.

Assuming the bunker isnโ€™t an option for you, your choices are: Reusing passwords or trusting a password manager.

The latter certainly wouldnโ€™t be safer if password manager companies were exposing millions of our passwords at once through breaches of their servers. The companies encrypt our secrets, and donโ€™t store our master passwords used to unlock the encryption. If their servers do get hacked, the data is gobbledygook without the master password only each individual user knows. (So choose a unique master password, never share it with anyone, and definitely donโ€™t forget it.)

The bug ISE found raises a different kind of risk: passwords exposed on the memory of individual usersโ€™ PCs. Any exposure โ€œputs usersโ€™ secret records unnecessarily at risk,โ€ Bednarek wrote in his report. But this discovery is nowhere close to our worst-case scenario. To peer into your PCโ€™s memory, a hacker would likely either need to be sitting at your computer or trick you into installing malware that has control over your computer.

Hackers typically prefer mass attacks rather than going after individuals, unless itโ€™s an extremely high-value individual. For mass attacks, thereโ€™s much lower hanging fruit … such as all those people still reusing passwords.

The worry for Bednarek: As more people use password managers, malware makers might start targeting their PCs to steal passwords. Multiplied over millions of password manager users, a low risk to the individual could turn in a large number of exposed passwords. He says his goal is to โ€œestablish a reasonable minimum baseline which all password managers should comply with.โ€

The companies said malware isnโ€™t just a risk to password manager users. A hacker with access to your computer might also make use of code such as a key logger that slurps up all your activity โ€” at which point, using a password manager is not your only problem.

The companies and the researchers also disagree over how much they can do about the memory leak problem without fundamental changes to operating systems. Dashlaneโ€™s CEO Emmanuel Schalit said local memory attacks are still a hypothetical concern. โ€œIt is more important for us to work on strengthening even further core components of our server infrastructure or cryptography, because this has a more material impact on our usersโ€™ security,โ€ he said.

Both sides agree on one thing: Your personal devices are the weak link. Itโ€™s a lot harder for a password manager โ€” or any software – to protect your valuable data if the computer youโ€™re working on is compromised.

So make yourself not worth hacking by:

Updating your software religiously: New versions contain very important security patches.

Checking your computer for malware. I recommend Malwarebytes for Windows and MacOS.

Being very careful about installing software that comes from places other than Microsoft, Apple and Google-managed app stores. Say no to Web browser extensions and pop-up messages.

Not storing extremely valuable secrets such as bitcoin private keys in password managers.

The other lesson from the new research is in how the password managers handled the problem. โ€œThey all are not created equal,โ€ said Bednarek. Dashlane and KeePass did the best job at protecting master passwords in the computerโ€™s memory. Dashlane remains my top-choice password manager for consumers, even though itโ€™s also the most expensive.

I also learned from how seriously they responded to ISE when Bednarek contacted them โ€” and to me when I followed up. KeePass dismissed it as old news, and RoboForm had little to say. Dashlane put me on the phone with its CEO. 1Passwordโ€™s Chief Defender Against the Dark Arts sent me lengthy emails. LastPass had me speak with its top technical executive โ€” but it also got Bednarek banned on Bugcrowd, the site for researchers to report flaws, because he disclosed the bug to me. Troy Hunt, a security expert who runs the compromised-passwords database haveibeenpwned.com, said password managers ought to be as resilient as possible. โ€œIf the outcome of this is that impacted password managers further strengthen their security posture then thatโ€™s a good thing,โ€ he said. โ€œSo long as it doesnโ€™t scare off their users.โ€