Regular readers will know that I am a big proponent of computer users protecting themselves with tools like Bitwarden, 1Password, and KeePass to help remember and generate unique passwords for every website they use.
It’s a lot better, for instance, than trusting your web browser to remember your password.
But it is essential, of course, that these password management programs are secure – and not leaking sensitive information.
As PC Magazine describes, a flaw was found in the Windows Internet Explorer version of LastPass that meant passwords could be read in plaintext if a memory dump was performed on Internet Explorer.
Fortunately, there are some mitigating circumstances, as the folks at LastPass described to PC Magazine:
“This particular issue would be extremely difficult to exploit – requiring that you be using IE, that you’ve logged in to LastPass to decrypt your data, perform a memory dump, hunt through the memory dump, and actually locate the passwords – we have made fixing this a priority because we value the privacy and security of our users’ data above all else.”
Nevertheless, LastPass responded quickly – and included a security patch for the problem (alongside other fixes) in an important update.
Although this incident is undoubtedly embarrassing for LastPass, I still recommend password management software for all internet users. Keep them updated, and you should find them a heck lot safer than trying yourself to remember secure passwords for every website you access.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
So Graham
What password manager do you recommend/use? I'm currently using RoboForm, but I never see it mentioned in articles like yours which usually mention LastPass, 1Password, and KeePass.
This worries me a little as the lack of mentions of RoboForm implies that it's not that good…
I haven't ever used RoboForm myself, but I've also not heard anything bad about it. :) I would be surprised if it does a less than competent job as it has been around for a long time.
This doesn't seem much different than any other password vault solution. If you get a memory dump with the key in it you can decrypt anything that was in the vault.
Physical access makes plugging in a Firewire or Thunderbolt device to grab memory dumps easy.
About the only thing I could see doing different would be to make auto-lock a default option.