Industry News

Researchers extract master password in cleartext from 1Password

Regular internet users today juggle numerous accounts on various platforms and websites, often using the same weak password for all of them. Tech-literate users employ different passwords for different accounts, and strong ones at that. Those who are truly conscientious use a password manager. But is it really all that smart?

ISE, an independent security consulting firm headquartered in Baltimore, Maryland, decided to test this idea by poking at five popular password managers to see if they could make them give up their secrets. While it’s not easy, apparently it can be done.

The group reveals its findings in a paper titled Password Managers: Under the Hood of Secrets Management. They start by outlining “security guarantees” that a typical password manager should offer in different circumstances. These are called “states” – locked, unlocked, running – and, depending on each state that the app is in, certain guarantees must be enforced. Unfortunately, every app that ISE tested contained vulnerabilities that leaked passwords, and the team even recovered the master password from a locked instance of 1Password 4.

The popular password manager and form-filler gives up its “master” key in plaintext

The full paper is well worth a read, as is the (equally-long) blog post dedicated to the findings, with graphics and all. Both are technical enough not to bore the geek in you but digestible enough not to scare off your inner noob. It’s an important piece of research also because it can educate password manager users in the way these tools work.

It isn’t clear if ISE contacted each vendor with these findings to prompt the release of an update, but they do outline a list of additional defenses that password managers should employ to keep user passwords safe. For end-users, the team offers a list of security best practices. ISE also promises to repeat their tests in the future to check and see if the popular credential-guarding tools perform any better.

About the author

Filip TRUTA

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware, and security, and has worked in various B2B and B2C marketing roles. He likes fishing (not phishing), basketball, and playing around in FL Studio.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Wow, thats worrysome though expect to happen at some point. Recently it was Abine Blur, time before there were others and there will always be vulnerabilities also in this kind of software. Happily this was discovered by a good party, a researcher, but every user must be somewhat informed of the cybsersecurity landscape today to avoid these situations.

    Cheers.