Password management has long been a persistently challenging task. This led to the introduction of password management software, which has been around for at least 25 years in various forms, including desktop and browser-based applications. This work assesses the ability of two dozen password managers, 12 desktop applications, and 12 browser plugins, to effectively protect the confidentiality of secret credentials in six representative scenarios. Our analysis focuses on the period during which a Password Manager (PM) resides in the RAM. Despite the sensitive nature of these applications, our results show that across all scenarios, only three desktop PM applications and two browser plugins do not store plaintext passwords in the system memory. Oddly enough, at the time of writing, only two vendors recognized the exploit as a vulnerability, reserving CVE-2023-23349, while the rest chose to disregard or underrate the issue.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Twenty years after Bill Gates predicted the death of passwords [14], here we are still using them. What is more, there are still major data breaches that are due to weak or insecure passwords, such as in the recent cases of SolarWinds [10] and Colonial Pipeline [30]. Passwords come in different forms, such as Personal Identification Numbers (PINs), passphrases, and frequently as one of the components of multifactor authentication. In between secure but impractical solutions, such as remembering all passwords, and practical but insecure ones, such as using the same password everywhere, one of the most popular ways for protecting credentials is Password Managers (PMs). Moreover, even when using PMs, usability clearly affects the security and trustworthiness of such applications [7]. Thus, the main question behind our study is: 25 years after the development of the first PM [18], how secure are our passwords when stored in such applications?
Looking first at how software developers and vendors handle PM security, as software applications, PMs capitalize on relevant principles, methodologies, and tools, as well as standards and best practices for secure software development. Nevertheless, absolute security cannot be guaranteed, even when using all the above means. Moreover, one of the main building blocks of a secure software development lifecycle is risk management. During this process, however, software vendors need to decide which security issues to tackle, wittingly ignoring in several cases those that they consider of minor importance or extravagant to address. In fact, during our study, out of the seven PM vendors contacted, only two recognized the issues reported in this paper and took action to remediate them.
Moving to how PM end-users perceive the value of security, the work in [26] suggests that users of standalone PMs may prioritize security, whereas users of built-in managers seem to value convenience more. The work in [9] compared users of PMs with non-users of such applications, finding that the main motivation of PM users was convenience, instead of security, and the impeding factor for non-users was security concerns. These findings suggest that PM users do not always put security as their first priority when adopting such applications.
There are frequent mentions of PMs in the media in the form of advertisements, comparisons, or security analyses [31], attempting to help the user select the most suitable PM. However, as absolute security cannot be guaranteed, it turns out that sporadically even popular PMs, which are recognized for the level of security they provide, can suffer from security issues [25]. One such example is a recent critical vulnerability affecting KeePass, which allowed the attackers to recover the master key safeguarding the PM’s vault [29]. In this context, this paper presents a security analysis of 12 desktop and 12 browser plugin PMs to understand the level of private information they potentially leak. Our study concentrates on the period during which each of these applications is loaded on the system memory. The key contributions of this work can be summarized as follows:
We examine which modern PMs allow the extraction of plaintext credentials from the RAM, offering exploits that can streamline the retrieval process.
We investigate to which extent the leaking information reveals repetitive patterns that augment the attack surface.
We examine PM vendor conformity to OWASP secure development guidelines with respect to the exposure of private information.
Following responsible disclosure, we notified the respective PM vendors about the identified vulnerabilities and succinctly discuss our interaction with them.
The rest of the paper is structured as follows. The next section details the threat model. Section 3 presents our methodology, the derived results, and ways of exploitation in the context of red teaming. Section 4 elaborates on best practices, including possible mitigation strategies. The related work is given in Sect. 5. The last section concludes and offers directions for future work.
2 Threat Model
Generally, data leakage attacks directly violate the first two properties of the Confidentiality, Integrity, and Availability (CIA) triad. For PMs, however, availability is also indirectly affected in case an attacker obtains the PM’s master password and subsequently changes it, locking the legitimate user outside the PM’s vault. Similarly, a user can be locked outside a service account if an attacker changes the user’s password. Essentially, in the case of PMs, where the stored information is considered critical, maintaining these properties is paramount. Nevertheless, as this work proves through an experimental evaluation of several renowned PMs in Sect. 3, data leakage is still feasible under certain circumstances. This section establishes the threat model under which an outsider attacker operates.
We concentrate on client-side PMs assuming that the targeted machine is situated within a local network, typically protected by a firewall, say, the one provided by default by MS Windows. In this common setting, the adversary needs to somehow penetrate the network and gain access to the victim’s machine. This can be done in a plethora of ways, which however are outside the scope of the current work; for instance, the attacker might lure the victim to download and execute a piece of malware, often the result of a phishing attack.
After that, the attacker needs to dump the PM’s processes; typically, these are more than one. With reference to Sect. 3, for all the 12 standalone PMs examined but 1Password this is straightforward; no special privileges are required. On the other hand, 1Password’s processes run with a high integrity level. This means that even if the target user has administrative privileges, due to the User Account Control (UAC) MS Windows security feature, the malware (or generally the attacker’s process) will often default to medium integrity, obstructing access to resources with higher integrity levels. In such a case, the attacker needs to elevate the integrity level silently, without spawning a UAC pop-up to the user. This can be accomplished through a UAC bypass method, including registry key manipulation, DLL hijacking, and elevated COM interface. Indicatively, a well-utilized DLL hijack-based method is given in [13]. Last but not least, the attacker must devise a way to efficiently search each one of the acquired dump (.DMP) files, say, through some script implementing pattern matching as detailed in Subsect. 3.4.
3 Experiments
The current section details our methodology and findings. Namely, after presenting the utilized testbed, we report on the different test scenarios and discuss the derived results.
3.1 Testbed and Test Scenarios
Each of the examined PM applications was installed on a separate clean Virtual Machine (VM) instance running MS Windows 10; the last OS update was performed in Jan. 2024. Every VM was equipped with 5GB of RAM and a quad-core CPU. For testing each PM, we compiled six distinct, representative of use scenarios, S1 to S6, as presented in Table 1. Overall, these scenarios correspond to the different states a PM application may be in relation to the actions of the end-user.
With reference to the leftmost column of Table 2a, the first round of experiments involved 12 popular PM desktop applications [31]. In a subsequent round, as shown in the leftmost column of Table 3, we repeated all six scenarios against 12 frequently encountered browser PM plugins [8]. The latter checks have been carried out on Chrome v120.0.6099.216. By comparing the above-mentioned table columns, it is obvious that half of the PM products are common in both Tables 2 and 3. All the experiments were carried out in Jan. 2024 using the latest at that time version of each PM or browser plugin.
3.2 Results
Every dump (.DMP) file created after executing each of the scenarios of Table 1 was examined for possibly containing secret information in cleartext. Specifically, we look for user credentials, either the PM’s master password or entry passwords; usernames are also of interest, but for the needs of this subsection the concentration is on passwords. Each PM entry corresponds to the user’s sign-in credentials to some service, say, Facebook, as they are contained in the PM’s vault. Typically, an entry comprises a username, password, and the URL of the corresponding service. No less important, normally, a PM (or browser in the case of a plugin) spawns more than one process, therefore a memory dump event as those in Table 1 may comprise numerous .DMP files. Such a file contains arbitrary information and its average size may be several megabytes, which renders its manual analysis with a hex editor cumbersome. Instead, as detailed in Subsect. 3.4, this can be relatively easily automated.
The results of applying all six scenarios to each standalone PM are recapitulated in Table 2a, where the ✓ and the ✗ symbols indicate either a positive or negative result regarding password leakage, respectively. Specifically, for each PM and scenario, the table shows if one or more of the respective dump files contain either or both the end-user’s master and entry passwords. Note that each scenario is independent of the others, i.e., before executing each scenario, the PM application (or the browser in the case of plugins) is terminated.
With reference to Table 2a, it is observed that only three PMs do not expose any plaintext password across all six scenarios. This does not mean that the password(s) are indeed not present in the memory (dump); contrastingly, they may exist in the dump, but they are in some secret obfuscated form that only the PM can parse. Also on the positive side, no PM leaks any plaintext password in S6, which however was somewhat expected. On the downside, four PMs expose either or both types of passwords in all scenarios but S6. In addition, four more PMs leak both types of passwords in at least three different scenarios. On top of that, half of the PMs leak the master password in S1, which is expected to be executed much more frequently than the rest of the scenarios. The latter outcome is not much better for S2 to S5, where three, four, five, and six PMs leak the master password. Concerning entry passwords, the situation is not markedly better given that in S1 to S5 at least two PMs expose entry passwords; the worst results are obtained in S4 and S5, where nine and seven PMs leak this type of password, respectively. Overall, across all the scenarios and all the PMs, 50 leaks are perceived, 24 and 26 for the master and entry passwords, respectively. Naturally, this figure cannot be seen as positive, summoning vendors up for corrective actions.
An additional important remark that emerged during our experiments with the standalone PM applications relates to the number of times a password appears in plaintext in the corresponding memory dump file. This information per scenario per PM is summarized in Table 2b. It should be clarified that for S4 and S5, the table contains the number of times the newly added (S4) or clicked on (S5) entry password is found in the respective .DMP file. From a bird’s eye view, as expected, the results between the two subtables of Table 2 coincide. Concentrating on Table 2b, the worst results for the entry password(s) are observed for S1, S4, and S5, where two, six, and four PMs expose at least four instances of the same password, respectively. This number even reaches double digits in S4 (for three PMs) and S5 (for one PM). Continuing from the previous result, S4 yields the worst score, demonstrating six PMs exposing at least four instances of the same newly added entry password. On the other hand, the situation regarding the master password seems better, with the poorer and best scenario in terms of security being S1 and S2, respectively. That is, in S1 three PMs expose at least four instances of the master password, while in S2 no PM exposes more than two instances. As a general comment, with special reference to S4, and to a lesser degree to S5 and S1, a significant number of PMs expose user’s entry passwords too many times, which in turn increases the attacker’s chances of discerning the password in the dump file, even if the latter is inspected visually.
The corresponding results referring to the 12 browser plugins are given in Table 3. As perceived, only two plugins expose zero plaintext leaks across all scenarios. Notably, however, six plugins leak a password in at least two different scenarios. Significant also is that 9 out of 12 or \(\approx \)75% of the plugins leak a password in S1, which is considered the commonest from a user’s perspective. Altogether, across all the scenarios and all the plugins, 23 leaks are observed, which are split into 3 and 20 for the master and entry passwords, respectively. Although somewhat better vis-à-vis the results of Table 2a, this figure reveals again a rather unfavorable average result in terms of security engineering for this type of software.
For better appreciating the results of Table 3, the following observations are noteworthy. First, some plugins, including 1Password and Ironvest require prior interaction between the browser and themselves for leaking an entry password. Second, certain plugins, including \(^\star \)PM, Kaspersky, and Sticky Password mandate the installation of the homonymous desktop PM; therefore, when the desktop PM application is locked, the plugin is also locked automatically. Third, a minority of plugins, e.g., Roboform, need prior browser interaction with any saved entry URL or the user to click on the plugin’s dashboard for loading all entries. Fourth, in some cases, e.g., 1Password, the leak is visible after several seconds, possibly for the browser to finish loading the respective plugin. Lastly, most plugins do not sweep PM-loaded user credentials away from the browser’s process after some time has elapsed. Bitdefender and Bitwarden are the only exceptions to this situation, clearing the browser’s process after 5 and 10 min respectively. Comparing the common six PMs in Tables 2a and 3 it is extrapolated that, as expected due to the second point above, there are two zero-leak PMs in both their standalone and plugin version, while for the remaining ones the situation is more or less better in their plugin version.
3.3 Discussion
Abiding by a Coordinated Vulnerability Disclosure (CVD) process, the results were promptly communicated to most of the affected PM vendors along with the corresponding exploit(s). Two vendors did acknowledge the issue and reserved a Common Vulnerabilities and Exposures (CVE) ID, namely CVE-2023-23349, pledging to also provide a respective patch promptly. The rest of them provided arguments in two directions. The first implies that the vendors are already aware of the problem, but they tend to largely underrate it. Specifically, their main claim is that carrying out such an attack would necessitate a pre-compromised system and a malicious actor with escalated privileges. On the one hand, this assertion is half true; based on our results in Subsect. 3.2, there do exist PM products that do not leak secret information in plaintext, and this stands true for both the standalone PMs (three instances) and the respective plugins (two instances). On the other hand, as detailed in Sect. 2, all PMs except one do not even require elevated privileges for dumping their processes. In this respect, the attacker does not even need to bypass UAC, which is usually quite challenging.
In relation to the previous argument, others may reason that a keylogger malware may achieve the same goal, without collecting and inspecting a PM memory dump file. The counterargument here is that a keylogger needs to stealthily operate round-the-clock and opportunistically wait for the victim to type a password. Even more, the attacker can save the relevant .DMP file and analyze it offline. Additionally, if the respective PM divulges the master password, then the attacker instantly gains access to every entry the victim keeps in the PM’s vault.
The second line of arguments, even not so common, suggests that some of the PM vendors are unsure about how to address the issue effectively. That is, if they apply some form of obfuscation to the passwords loaded in memory, they may provide a false sense of security; this is a form of security by obscurity, which generally, as well as in this case, is only effective as long as the (secret) obfuscation pattern remains confidential. On the flip side, unauthorized access to the PM will typically lead to multiple breaches, equaling the number of different entry passwords stored in the PM. In the presence of no other viable and stronger defense, obfuscation seems, at least for the moment, the only way forward. To enhance the robustness of the obfuscation procedure, a variable, frequently changing pattern should be used, ideally paired with other techniques, e.g., the system-protected process security model, also known as Protected Process Light (PPL) technology [20]. For more information on this issue, the reader is referred to Sect. 4.
3.4 Red Teaming and Exploits
To propel research and advance red teaming methodologies and responsible disclosure in this field, we developed an open-source tool called Pandora, which is publicly available in a GitHub repository [4]. Pandora assists in harvesting user credentials, both usernames and passwords, possibly present in cleartext in the processes spawned by several well-known PMs. The tool supports MS Windows 10 standalone PMs and browser plugins; at the time of writing, it supports 14 PMs, with 18 different implementations, e.g., it can dump end-user credentials either from the desktop application or the browser plugin of the same product. The tool requires the PM to be running and unlocked. For additional and up-to-date information on the tool, the interested reader is referred to [4].
Moreover, for reasons of completeness, Algorithm 1 offers a generic exploit in pseudocode. As can be seen in line 3, after opening the respective .DMP file, the algorithm applies a search pattern. The latter is based on the common technique exploited by anti-malware services; a file is flagged as possibly malicious when a sequence of hex bytes, i.e., a signature, is present within the file. In this work, we exploit the same logic to identify the patterns that hold the user’s credentials in the corresponding PM’s process memory dump. To identify a possible pattern, first, one needs to configure each PM with different credentials, namely, master and entry passwords along with their matching usernames, if required by the PM, depending on the case. Then, using a hex editor, each dump file is manually investigated for containing one or more of these entries. If some entry is found, that entry’s preceding and succeeding bytes are kept as possible search patterns. Then, the investigator checks if the same bytes (pattern) stay identical across different PM states with the same or other entries. If yes, then this pattern can be used to produce an exploit for the specific PM. In Algorithm 1, given the pattern of line 3, lines 5–21 gather the next or previous n bytes and convert them to UTF-8 for revealing the password and username in plaintext. The number of bytes n is defined empirically, and it may be different per PM; for Algorithm 1 this parameter is set to 300 bytes in line 12.
4 Best Practices
The current section offers a brief description of the best practices that should be employed for sensitive information management by a PM application. As discussed in Sect. 3, the success of the attack hinges on the fact that essential information is written in an unprotected (plaintext) format by the PM application. Nevertheless, there exist numerous guidelines [6, 22, 23] that dictate the proper way for handling private information by such applications.
Primarily, as delineated by the Open Worldwide Application Security Project (OWASP), the relevant guidelines concentrate on the proper employment of cryptographic primitives [22, 23]. In this respect, encryption and hashing algorithms are considered the mainstream tools in the quiver of PM developers to protect private information, even though key management remains an important matter in the whole process. Along the same line, obfuscation techniques can be used to hide essential information when loaded in memory; note that the obfuscation pattern must remain secret, which indeed is a form of security by obscurity. Moreover, the pattern should be frequently changed, which also entails management operations, and naturally, there is no silver bullet that can ensure key management security horizontally. No less important, OWASP suggests that private data should be stored only when necessary during the application life cycle [22] and remain the minimum possible time in the RAM [24]. This can be achieved through spawning garbage collection requests soon after every critical operation, or by overwriting the content of a critical object once the object is no longer needed.
Another commonly used technique during the application development stage is to eliminate variable copies [6]. Precisely, modern programming languages offer several operations on variables, which essentially create copies of the same information in the memory stack; each variable assignment creates a copy of the same information. This might be the case with the scrutinized PMs, as Table 2b confirms that both the master and entry passwords were identified multiple times in the respective memory dumps. In turn, this facilitates an attacker to monitor the repeating piece of data, subsequently revealing recurring private information with the associated byte patterns. Another relevant point is that some PMs, including Keeper, do provide an option for wiping secret data after the PM is automatically locked. Nevertheless, this option is provided as opt-in and it is disabled by default, which does not abide by the well-known principle of establishing security defaults, namely establish default secure settings and possibly provide opt-in and opt-out. Furthermore, a minority of PMs support Two-Factor Authentication (2FA), which is positively appraised. However, in some of them, the 2FA token created during user sign-in with the PM leaks in the memory as well.
Last but not least, as already pointed out in Sects. 2 and 3.3, developers should also take advantage of the UAC mandatory access control enforcement feature, which limits the ability of malicious code to execute with administrator privileges. By means of UAC, every application that needs the administrator access token must prompt the end-user for approval, the so-called “elevation prompt”. Typically, when a user runs a process, that process executes with their token and can do anything the user can do; in short, a token says who you are and what you are allowed to do. In this context, every time an MS Windows thread wishes to access a protected object, the operating system conducts a security check. With reference to Subsect. 3.3, vendors can potentially capitalize on the so-called Protected anti-malware services, also known as PPL [20]. This enables specially-signed programs to run in a mode invulnerable to tampering and termination, even by administrative users. On the downside, running a PM with administrative rights to enable PPL, may open the door for privilege escalation attacks through DLL sideloading, e.g., as in CVE-2023-48861.
5 Related Work
This section elaborates on the related work on PM security, concentrating on publications from the past decade. The first set of related works focuses on applications that expose sensitive data while running on different operating systems, namely Windows, Linux, and Android.
The authors in [2] investigated the potential leakage of private data from Android applications residing in RAM. According to the findings, 29 out of 30 applications were found to disclose information that facilitated the retrieval of user passwords. A similar research in [15] presented an analysis of Android applications, including PMs, regarding the persistence of passwords in system memory even after they are not needed. Based on their results, one of the main components responsible for leaking private information is UI widgets. To address this, they proposed an enhancement to the Android platform by introducing SecureTextView, a secure version of Android TextView, which employs the zeroization of specific buffers. In a related research [19], the authors explored zeroization techniques across MS Windows and Linux environments. They concluded that only the MS Windows operating system provides a reliable function that can be used for this purpose. Finally, they showcased credential extraction from memory allocated to browsers, highlighting potential security vulnerabilities.
Extending the analysis to web-based PMs that offer standalone applications and/or browser extensions, the authors of [21] conducted a security evaluation of seven web-based PMs. Their evaluation covered both the standalone application and browser extension-based versions, encompassing the entire PM lifecycle, from password generation and storage to autofill functions. Despite the improvement of the scrutinized PMs in terms of security compared to prior evaluations, persistent issues remain. These include unencrypted metadata, insecure defaults, and vulnerabilities to clickjacking attacks. The authors explored the methods that each of the PMs utilizes to securely store client data in the respective database files. However, they overlooked how the very same data are treated by the host’s OS and how they are stored in RAM.
In the same vein, the authors in [16] performed a security analysis of five web-based PMs, uncovering varying susceptibilities across all the examined PMs. Among the identified vulnerabilities were issues related to logic and authorization, misinterpretation of the web security model, and sensitivity to CSRF/XSS attacks. Nevertheless, the authors specifically focused on vulnerabilities stemming from the web-based nature of PMs. In contrast, our study takes a different angle by delving into the local security posture of PMs, with a particular emphasis on examining how sensitive data are stored within the users’ RAM.
Another study [3] presented flaws in the LastPass browser extension. In this work, the authors performed a password extraction attack directly from the extension’s memory while the extension was active. Similarly, the work in [32] provided a vulnerability analysis of LastPass and Roboform, which both provide browser extensions for operating the software and cloud storage of the passwords. They identified potential threats, including the storage of credentials in plaintext locally and/or on cloud servers. Additionally, they provided recommendations towards enhancing data protection measures and improving the overall security level of these products.
A second set of works focused on data leakage during the autofill function that modern PMs offer. The authors of [28] studied how different PMs handle automatic filling of passwords. Their work encompassed three categories of password managers: (a) built into browsers, (b) used in mobile devices, and (c) third-party applications. Their findings suggested that the various autofill policies followed by these tools can expose users to serious risks, such as a remote attacker stealing multiple passwords from their PM. Similarly, [11] presented a technique, called AutoSpill, to leak users’ saved credentials during an autofill operation on a webpage loaded into an application’s WebView.
As a third tendency, some authors have followed forensic techniques to study the security of PM applications. In [12], three desktop PMs were analyzed, namely KeePass, Password Safe, and RoboForm, following a systematic forensic analysis approach. The findings of this study showed that unencrypted passwords and sensitive data were found in the clipboard, Temp folders, Page files, or the Recycle Bin. Moreover, the authors of [27] followed a digital forensic procedure to analyze the storage security of two Android PM applications. Their focus is, however, on protecting long-term data stored in Android devices, leaving out attacks targeting encryption keys in main system memory.
In a similar direction to our work, the study in [17] scrutinized the security of three open-source PMs against various types of attacks, both new and already known. The PMs they studied were Passbolt, Padlock, and Encryptr; among other vulnerabilities, the authors found that all three applications were susceptible to keyloggers and clipboard attacks. Additionally, the authors of [5] analyzed 5 popular PMs against already disclosed and newly discovered vulnerabilities. Notably, their findings indicated that 4 of the 5 studied PMs, namely Dashlane, LastPass, Keeper, and RoboForm, were prone to clipboard attacks.
When it comes to tools for password recovery from PMs, LaZagne [1] is an open-source application capable of retrieving locally stored computer passwords. It supports various methods that applications use to store their passwords, such as plaintext, APIs, custom algorithms, and databases. Among the supported applications are popular browsers, mail clients, chat apps, databases, and memory dumps from password managers such as Keepass. Pandora [4], the tool we have developed for our experiments, focuses on PMs and delves deeper than LaZagne. It uncovers passwords that are inadequately managed by 18 different PM implementations, spanning Windows apps, browsers, and browser plugins.
6 Conclusions
Password credentials are still the dominant way to perform user authentication. Nevertheless, with the numerous accounts that the average user manages today, it is challenging to create secure passwords while at the same time remembering them by heart. PMs come with the promise to fill this gap by generating strong passwords and storing them securely on desktop and mobile devices. But aside from the convenience provided by such applications and the common belief in their security, can they truly be trusted to deliver what they promise?
This paper provides an up-to-date security analysis of the main desktop and browser plugin PMs. This analysis is conducted under the strong but viable assumption that an adversary has gained access to the local system and is capable of dumping the respective processes. Our findings suggest that, across six exemplary from an end-user’s viewpoint scenarios, 75% of desktop PMs and 83% of browser PM plugins store passwords in plaintext in the system memory while in use. Among others, the key issue with these security-sensitive applications is that “storing” is done in a way that creates patterns, which can be easily discerned by the adversary. Even worse, this secret information not only remains in the memory for a significant time after serving its purpose but is also stored in multiple copies, simplifying the attacker’s job. A potential direction for future work is to extend this research to mobile platforms and various other popular applications of different kinds, including financial/banking, team collaboration, smart home, and more.
AlessandroZ: LaZagne. https://github.com/AlessandroZ/LaZagne. Accessed 14 Jan 2024
Apostolopoulos, D., Marinakis, G., Ntantogian, C., Xenakis, C.: Discovering authentication credentials in volatile memory of android mobile devices. In: Conference on e-Business, e-Services and e-Society, pp. 178–185 (2013)
Barten, D.: Client-side attacks on the lastpass browser extension (2019). https://api.semanticscholar.org/CorpusID:153315475
C.E.: Pandora. https://github.com/efchatz/pandora. Accessed 14 Jan 2024
Carr, M., Shahandashti, S.F.: Revisiting security vulnerabilities in commercial password managers. In: ICT Systems Security and Privacy Protection, pp. 265–279 (2020)
Chapman, R.: Sanitizing sensitive data: how to get it right (or at least less wrong...). In: Reliable Software Technologies – Ada-Europe 2017, pp. 37–52 (2017)
Chaudhary, S., Schafeitel-Tähtinen, T., Helenius, M., Berki, E.: Usability, security and trust in password managers: a quest for user-centric properties and features. Comput. Sci. Rev. 33, 69–90 (2019)
Cybernews: Chrome password managers: Best extensions in 2023. https://cybernews.com/best-password-managers/password-managers-for-chrome. Accessed 14 Jan 2024
Fagan, M., Albayram, Y., Khan, M.M.H., Buck, R.: An investigation into users’ considerations towards using password managers. HCIS 7(1), 12 (2017)
Fung, B., Sands, G.: Former SolarWinds CEO blames intern for ‘solarwinds123’ password leak. https://edition.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html. Accessed 14 Jan 2024
Gangwal, A., Singh, S., Srivastava, A.: Autospill: credential leakage from mobile password managers. In: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy, pp. 39–47 (2023)
Gray, J., Franqueira, V.N.L., Yu, Y.: Forensically-sound analysis of security risks of using local password managers. In: 2016 IEEE 24th (REW), pp. 114–121 (2016)
hfiref0x: Defeating windows user account control. https://github.com/hfiref0x/UACME#readme. Accessed 14 Jan 2024
Kotadia, M.: Gates predicts death of the password. https://www.cnet.com/news/privacy/gates-predicts-death-of-the-password. Accessed 14 Jan 2024
Lee, J., Chen, A., Wallach, D.S.: Total recall: persistence of passwords in android. In: Proceedings 2019 Network and Distributed System Security Symposium (2019). https://api.semanticscholar.org/CorpusID:142503488
Li, Z., He, W., Akhawe, D., Song, D.: The \(\{\)Emperor’s\(\}\) new password manager: security analysis of web-based password managers. In: 23rd USENIX, pp. 465–479 (2014)
Luevanos, C., Elizarraras, J., Hirschi, K., Yeh, J.H.: Analysis on the security and use of password managers. In: 2017 18th (PDCAT), pp. 17–24 (2017)
Machine, W.: Counterpane systems brings the security of blowfish to a password database. https://web.archive.org/web/19980119124510. http://www.counterpane.com/passsafe.html. Accessed 14 Jan 2024
Malliaros, S., Ntantogian, C., Xenakis, C.: Protecting sensitive information in the volatile memory from disclosure attacks. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 687–693 (2016)
Microsoft: Protecting anti-malware services. https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-. Accessed 14 Jan 2024
Oesch, S., Ruoti, S.: That was then, this is now: a security evaluation of password generation, storage, and autofill in browser-based password managers. In: Proceedings of the 29th USENIX, pp. 2165–2182 (2020)
OWASP: Cryptographic storage. https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#minimise-the-storage-of-sensitive-information. Accessed 14 Jan 2024
OWASP: Secure product design. https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html. Accessed 14 Jan 2024
OWASP: Testing memory for sensitive data. https://mas.owasp.org/MASTG/tests/android/MASVS-STORAGE/MASTG-TEST-0011/. Accessed 14 Jan 2024
PASCU, L.: 29 vulnerabilities found in android password managers. https://www.bitdefender.com/blog/hotforsecurity/29-vulnerabilities-found-in-top-rated-password-managers-for-android/. Accessed 14 Jan 2024
Pearman, S., Zhang, S.A., Bauer, L., Christin, N., Cranor, L.F.: Why people (don’t) use password managers effectively. In: SOUPS 2019, pp. 319–338 (2019)
Sabev, P., Petrov, M.: Android password managers and vault applications: data storage security issues identification. J. Inf. Secur. Appl. 67(C) (2022)
Silver, D., Jana, S., Boneh, D., Chen, E., Jackson, C.: Password managers: attacks and defenses. In: 23rd USENIX, pp. 449–464 (2014)
sysdig: Keepass cve-2023-32784: Detection of processes memory dump. https://sysdig.com/blog/keepass-cve-2023-32784-detection/. Accessed 14 Jan 2024
Turton, W., Mehrotra, K.: Colonial Pipeline. https://www.governing.com/security/bad-password-gave-colonial-pipeline-hackers-access. Accessed 14 Jan 2024
Wired: The best password managers to secure your digital life. https://www.wired.com/story/best-password-managers/. Accessed 14 Jan 2024
Zhao, R., Yue, C., Sun, K.: Vulnerability and risk analysis of two commercial browser and cloud based password managers. Acad. Sci. Eng. Sci. J. 1, 183–197 (2013)
This work is supported by the Research Council of Norway through the SFI Norwegian Centre for Cybersecurity in Critical Sectors (NORCICS) project no. 310105 and by the European Union through the Horizon 2020 project PERSEUS (Grant No. 101034240).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2024 The Author(s)
About this paper
Cite this paper
Chatzoglou, E., Kampourakis, V., Tsiatsikas, Z., Karopoulos, G., Kambourakis, G. (2024). Keep Your Memory Dump Shut: Unveiling Data Leaks in Password Managers. In: Pitropakis, N., Katsikas, S., Furnell, S., Markantonakis, K. (eds) ICT Systems Security and Privacy Protection. SEC 2024. IFIP Advances in Information and Communication Technology, vol 710. Springer, Cham. https://doi.org/10.1007/978-3-031-65175-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-65175-5_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-65174-8
Online ISBN: 978-3-031-65175-5
eBook Packages: Computer ScienceComputer Science (R0)