Password managers are a useful way to keeping your internet accounts safe. But the software that runs them isn't always perfect.
According to new research, four popular password managers for Windows 10 can actually leak your login credentials to the PC's memory. That's bad news in the event your computer has been secretly taken over by malware; a hacker could potentially snatch up the sensitive data when the password manager turns on.
The research, published on Tuesday, comes from Independent Security Evaluators (ISE), a Baltimore-based company that examined the security of four products including 1Password, Dashlane, KeePass, and LastPass. The company was surprised to find that the products didn't always encrypt and then delete password data in the PC's background processes. Even the master password, which can be used to unlock all your stored passwords, can be exposed.
For instance, 1Password7 will decrypt all your individual passwords and store them in the computer's memory once the application loads up. The login credentials—including the master password—will also persist in the PC's memory when the product is still running, but in a locked state. "The user must exit the software entirely in order to clear sensitive information from memory," the research adds.
Dashlane, on the other hand, will only expose a login credential individually, depending on which password the user is seeking to access. Only when the user seeks to update a password will the Dashlane application expose the entire database in plaintext. LastPass exhibits a similar problem, and can also leak the credentials even after the application returns to a locked state.
ISE published the research to encourage password manager vendors to better protect login credentials as they load over a PC, especially when the product reverts back into a locked state.
"Given the huge user base of people already using password managers, these vulnerabilities will entice hackers to target and steal data from these computers via malware attacks," ISE researcher Adrian Bednarek in a statement.
But not everyone agrees about the severity of the threat. To pull off these attacks, the hacker has to trick you into installing some malware, which can open your PC to all kinds of mayhem—not just password theft.
"The realistic threat from this issue is limited," 1Password's security developer Jeffrey Goldberg told PCMag in an email. "No password manager (or anything else) can promise to run securely on a compromised computer."
1Password and KeePass also told PCMag that the security issues cited by ISE are nothing new, and have been previously mentioned as known trade-offs with their products. For instance, with the Windows operating system, KeePass must unencrypt some of the sensitive data in order to show you a password.
"Fixing this particular problem introduces new, greater security risks," Goldberg said. 1Password would have to switch to a different, older programing language, which might prove to be less reliable in other ways, and leave users insecure, he added.
LastPass, however, said it's introduced new safeguards to stop potential password theft from malware. For instance, the company's Windows application will now shut down and clear the system memory when the user logs out.
The research from ISE is a reminder to be aware of a password managers' limitations; the applications won't protect your login credentials in the event your PC has been infected with malware that has keylogging, screenshot grabbing, or text copying abilities.
To stay safe, ISE recommends you use reputable antivirus products, and shut down a password manager completely once you're done with it. That'll ensure the product isn't actively leaking your password credentials in the background. To avoid malware, refrain from downloading applications from unknown sources or from mysterious email attachments.