Password managers are great tools for hardening your online security and, trust me, they can definitely make your life easier. But as always, like anything that’s powered by software, password managers are not perfect and they’re not impervious to hacks and malware.
This new research proves just that. According to new information published by Independent Security Evaluators (ISE), at least five popular password managers, including 1Password, Dashlane, KeePass and LastPass, could potentially leak unencrypted credentials and passwords while they’re running in the background.
How severe are these issues? Or are they nothing to worry about? Let’s break them down.
It’s like leaving your keys under your PC’s doormat
The researchers from ISE (read: white hats aka the good hackers) said that the password managers they examined don’t always encrypt and clear the password from a computer’s memory while transitioning from an unlocked (password manager is running) to a locked (user is logged out) state.
1Password, in particular, keeps the master password in memory while unlocked and fails to clear it out when it goes back to its locked state. In some cases, the master password can even be viewed in clear text while the software is locked. Yep, in a way, it’s like leaving your keys under your doormat.
Surprisingly, 1Password’s newer version, 1Password7, is even worse since it decrypted all individual passwords in ISEs test, cached them all in the computer’s memory and failed to clear them out while transitioning from its unlocked state.