To keep yourself safe online, you're always advised to use secure passwords, and not reuse them.
Because that's hard to do, many suggest using password managers for convenience. Unfortunately, it seems some of those are leaking your passwords as well.
A new study by the Independent Security Evaluators (ISE) published this week found that many popular password manager services have loopholes that can be exploited. Apparently big names like 1Password, Dashlane, KeePass and LastPass, were all affected by these bugs, which could potentially let your passwords be stolen.
The team said that each of these services "failed to provide the security to safeguard a user's passwords as advertised" and "fundamental flaws" were found that exposed the data they were supposed to protect. Like, they had just one job.
The vulnerabilities were uncovered in these services working on Windows 10 PCs. In one case the master password, with which a user accesses the service and therefore all their saved passwords, was stored in the computer's RAM in plain text.
Also Read:?"Stop Using 8 Character Passwords" Say Researchers, As They Can Be Guessed In Just 2.5 Hours
"Users are led to believe the information is secure when the password manager is locked," ISE said. "Though, once the master password is available to the attacker, they can decrypt the password manager database -- the stored secrets, usernames, and passwords."
In their study, ISE was able to extract the saved passwords and other login details even when the password manager was supposedly locked. Unfortunately, they believe that this can be recreated by the last kind of malware, without human attention needed.
"This paper is not meant to criticize specific password manager implementations; however, it is to establish a reasonable minimum baseline which all password managers should comply with," the report said. "It is evident that attempts are made to scrub any sensitive memory in all password managers. However, each password manager fails in implementing proper secrets sanitization for various reasons."
Despite this however, ISE notes that password managers are still better than the alternative. After all, more attackers are just brute forcing passwords and uncovering weak codes, than attacking supposedly secure password managers.
Basically, you're better off with some iffy protection than none at all. Just don't expect that you don't also need to take precautions like two-factor authentication as well.