The American consultancy ISE (Independent Security Evaluators) has found that it is possible to extract the master password from the 1Password, Dashlane, KeePass and LastPass password managers from the memory of Windows 10 computers. There is no evidence of abuse and the agency has not investigated whether this vulnerability also occurs on Apple devices.
ISE advises users to continue using password managers because the risk of this leak is low and does not outweigh the safety benefits of these solutions. A number of providers of these password managers indicate that this is an acceptable risk. Frank Groenwegen, Fox-IT’s chief security expert, says on BNR: “The risk attributed to this leak is acceptable provided that two-step verification is also used.”
Fox-IT: ‘The risk attributed to this leak is acceptable provided that two-step verification is also used.’
Ethical hackers at Fox-IT use these techniques to test the security of customers and with great success. This means that it is not just a small group of people who could abuse this vulnerability. Many large platforms already offer two factor authentication, but it is not being used much yet. One way to promote use is to make it part of regulations such as GDPR. “This would mean that websites are required to offer two-step verification when visitors create a user account. That is not the case now. By doing this, problems can be prevented.”
Listen to the broadcast between 3.32,36 and 3.36,40 (In Dutch)