6 March 2019
Seek Social’s Take: Password Managers and How to Use Them
After reading an ISE report published in February 2019, password managers might not seem like a good idea… The ISE found software vulnerabilities in a number of popular Windows 10 password managers, including 1Password, Dashlane, KeePass and Lastpass. Security risks in a password manager would certainly raise red flags, but it’s important to understand the whole situation before coming to a final decision. So we wanted to explain just what’s happened, and the real-world implications for users.
Password managers are designed to add extra data protection and online security for computer users. They do this by remembering our passwords for us, locking them away in a database protected by a ‘master password’. The convenience of Password managers is great for people like us at Seek Social who have lots of accounts and passwords for various websites. On top of this, they can also generate very complex passwords. Because they are random these passwords have no kind of pattern to them. This makes them very hard to crack, and therefore less of a security ‘risk factor’.
But…
The ISE found flaws in the ways some password manager programs ensure data protection:
- 1Password 4.0 sometimes keeps the master password in memory, and it’s sometimes displayed in plain text.
- 1Password 7.0 doesn’t remove the master password, stored passwords, or secret keys from memory correctly.
- Dashlane can expose the entire database whenever you update an entry, and it stays in memory after you log out.
- With KeePass, parts of the database become vulnerable when you interact with them, but your master password IS safe.
- With Lastpass, any data that you interact with becomes vulnerable. The master password is also vulnerable to attack via a memory leak.
Scary stuff – but there are several caveats involved here. In all of these cases an attacker needs to have already gained access your system for these security risks to apply. Secondly, these issues only concern the software versions of these programs. Any browser add-ons are safe, so your online security isn’t compromised. Finally, all of the developers involved know about the issues found in their password manager programs, and are taking steps to safeguard their users’ right to data protection.
Seek Social’s Verdict:
So, bearing all of this in mind, should you be using a password manager? Or is the risk to your data and your online security too great? Frankly, the Seek Social team would still recommend them. The benefits to password strength and convenience still outweigh the security risks. However, a password manager needs to be just one part of a larger system. It protects your various sets of login details well, but that doesn’t make the software itself safe from attack…
To use an analogy, you wouldn’t leave your business’ doors unlocked just because you have a safe. Data protection and I.T. security is much the same way. As the developers themselves said, stop an attacker compromising your system in the first place and these vulnerabilities are not an issue. So, in our opinion – yes – a password manager is a great tool to add to your security as a bonus. However, it’s not a replacement for things like firewalls, VPN’s, or anti-virus software.
