It's like leaving your keys under your PC's doormat



The researchers from ISE (read: white hats aka the good hackers) said that the password managers they examined don't always encrypt and clear the password from a computer's memory while transitioning from an unlocked (password manager is running) to a locked (user is logged out) state.

1Password, in particular, keeps the master password in memory while unlocked and fails to clear it out when it goes back to its locked state. In some cases, the master password can even be viewed in clear text while the software is locked. Yep, in a way, it's like leaving your keys under your doormat.

Surprisingly, 1Password's newer version, 1Password7, is even worse since it decrypted all individual passwords in ISEs test, cached them all in the computer's memory and failed to clear them out while transitioning from its unlocked state.

In Dashlane's case, only the last active password is exposed in memory while it's running, but once a user updates any information on an entry, it exposes its entire database in plaintext in a computer's memory. Worse, this information then remains there even after a user logs out of Dashlane.

Similarly, KeePass and LastPass also showed vulnerabilities by keeping some of their unencrypted entries in a computer's memory even after they return to their locked states

In most cases, closing out of a password manager completely (not just logging out of it) is the only way to clear the cached passwords from your computer's memory.