Security researchers have recently found flaws in several popular password managers that can allow attackers with access to a computer to retrieve passwords from its memory. While the vulnerabilities are real, protecting secrets in memory is an ongoing issue for the software industry, and experts have pointed out that there are much easier ways to steal passwords.
The report that stirred up some controversy in the security community was released last week by Independent Security Evaluators (ISE), a security consultancy with a good track record of finding software vulnerabilities. The company tested the desktop versions of LastPass, Dashlane, 1Password version 4, 1Password version 7 and KeePass. ISE investigated the security guarantees provided by the applications while they were in three states: not running with password vault locked, running with password vault unlocked and running but with password vault locked.
To read this article in full, please click here