A new study by ethical hackers at Independent Security Evaluators (ISE) identified memory security flaws in five popular password managers. The research found that users of some password manager apps could be vulnerable to specific targeted malware attacks. While Sticky Password was not one of the products included in the research, we feel it’s important to address the findings.
The report (Password Managers: Under the Hood of Secrets Management) suggested that some of the password management apps for Windows 10 left passwords exposed in a computer’s memory when the apps were in “locked” mode. To a hacker with access to the PC, passwords that should have been hidden were no more secure.
Nevertheless, the ISE researchers and other security professionals emphasized that password managers are beneficial and help avoid many bad password practices (e.g forgetting passwords, using weak passwords, re-using passwords, etc.) and mitigate a vast amount of security risks. You wouldn’t stop using a seat belt because it couldn’t protect you from every kind of vehicle accident.
An integral element of Sticky Password’s QA is checking memory for any sensitive user data. In an unlocked state, we persistently delete sensitive data from memory after it is used by the user (e.g. autofill, password preview).
So, when Sticky Password is unlocked and/or running in the background and the user is not, for example, performing ‘autofill’ or previewing a password/credit card, then there is no password or credit card number in the memory at all.
When needed (based on the user’s demand/request), Sticky Password decrypts the password or credit card, scrambles it and puts it into memory only for the very short amount of time that is necessary to fulfill a user’s action as prompted by the user. In this way, an additional level of protection is implemented by scrambling the user’s data that is being put into the memory (so that it is not directly readable when in memory).
Once the password or credit card is autofilled or previewed, Sticky Password immediately overwrites the relevant memory block. When the Sticky Password app is locked, it also overwrites all relevant memory blocks.
It is important to keep in mind that protecting a system is only possible if it has not yet been compromised. Once the attackers are ‘in’ (e.g. can read your device’s memory – which is the attack vector described in the report), then it is not possible to effectively prevent access to anything on the device, in general. Therefore, it’s critical that users ‘keep a clean machine’ and stick to the basic principles of security:
Make sure the security software is current: Having the latest security software, web browser and operating system is the best defense against viruses, malware and other online threats.
Keep your software up-to-date with patches and updates. Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
Protect all devices that connect to the Internet: Along with computers, smartphones, gaming systems and other web-enabled devices also need protection from viruses and malware.
Plug & scan: USBs and other external devices can be infected by viruses and malware. Use your security software to scan them.
And it all comes down to protecting our devices, which is nicely summarized in the Laws of Security:
If a bad guy can read your device's memory or alter the operating system on your computer, it’s not your computer anymore.
If a bad guy can persuade you to run his program on your computer (viruses, malware), it’s not your computer anymore.
If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
Weak passwords defeat strong security. The strongest security can’t protect you if you use weak passwords.
Encrypted data is only as secure as the decryption key. This means your Master Password has to be really strong.
An out of date virus scanner is only marginally better than no virus scanner at all.