The number of passwords that each person needs to remember grows exponentially each year. The password manager industry has emerged to help people securely keep track of their passwords, and many institutions have invested in these tools for use by their employees. But are these tools really safe?
Recent research by a group called Independent Security Evaluators (ISE) has highlighted some vulnerabilities in many password managers. While running, the managers store passwords in memory in clear text where they may be easily readable by an attacker who has gained access to the system. While these weaknesses are valid and need to be understood, even the ISE researchers who discovered them stated “We want it to be clear that we think people should continue to use password managers.”
Institutions that are using a password manager should review the vulnerabilities and ensure that the controls and practices they have in place adequately mitigate the weakness. We recommend the following mitigation measures:
- Ensure that employees are not local administrators on workstations. Passwords in memory can be easier for an attacker to obtain if the user is a local administrator than if the user has limited workstation privileges.
- Shut down the password manager when not in use. Passwords are only in memory while the password manager is running. Note that simply locking the password manager and leaving it run in the background is not enough, as the passwords are still in memory when the program is locked.
- Use multi-factor authentication (MFA) on the master password. An attacker who obtains the master password of the manager has the keys to the kingdom unless an additional piece of information is required to log in. Alternatively, access using the master password may be limited to specific devices that the attacker would not have.
- Use multi-factor authentication (MFA) on all critical passwords. For any system that is critical, MFA should be in place to ensure that an attacker who obtains the password by accessing the password manager will not be able to access the critical system.
- Continue to train employees to think before clicking. Most attacks that would lead to accessing passwords in memory start with a user clicking on a link or opening a malicious document. Continue to train employees that they need to be diligent in detecting suspicious attachments or links in emails or on websites.
- Implement endpoint protection. A good endpoint protection solution that looks for abnormal behavior should detect malicious activity if an employee does click on a bad link and may also be able to detect when the attacker attempts to access the passwords in memory.
- Upgrade password manager software. Some password manager companies implemented patches to mitigate some of the discovered vulnerabilities. If your institution installs the manager on systems, be sure to upgrade the password manager to take advantage of the patch.
If you're considering a password manager at your financial institution, but want to talk through what the implementation process might look like and what controls you'd need in place to mitigate the risk appropriately we can give you some pointers. Email us at support@bedelsecurity.com or give us a call at (812) 552-2258.