Regular
internet users today juggle numerous accounts on various platforms and
websites, often using the same weak password for all of them. Tech-literate
users employ different passwords for different accounts, and strong ones at
that. Those who are truly conscientious use a password manager. But is it
really all that smart?

ISE,
an independent security consulting firm headquartered in Baltimore, Maryland,
decided to test this idea by poking at five popular password managers to see if
they could make them give up their secrets. While it’s not easy, apparently it
can be done.

The group reveals its findings in a paper titled Password Managers: Under the Hood of Secrets Management. They start by outlining “security guarantees” that a typical password manager should offer in different circumstances. These are called “states” – locked, unlocked, running – and, depending on each state that the app is in, certain guarantees must be enforced. Unfortunately, every app that ISE tested contained vulnerabilities that leaked passwords, and the team even recovered the master password from a locked instance of 1Password 4.

The popular password manager and form-filler gives up its “master” key in plaintext

The full paper is well worth a read, as is the (equally-long) blog post dedicated to the findings, with graphics and all. Both are technical enough not to bore the geek in you but digestible enough not to scare off your inner noob. It’s an important piece of research also because it can educate password manager users in the way these tools work.

It isn’t clear if ISE contacted each vendor with these findings to prompt the release of an update, but they do outline a list of additional defenses that password managers should employ to keep user passwords safe. For end-users, the team offers a list of security best practices. ISE also promises to repeat their tests in the future to check and see if the popular credential-guarding tools perform any better.