Over at the Independent Security Evaluators site they have an interesting article on the security of of several password managers. It’s virtually universal advice from security experts that you should use a password manager and the authors of the article emphatically agree. They note, however, that every one they examined leaked some information. An attacker would have to have access (either physical or network) to the machine the password manager was on to exploit these leaks but it’s good to have the problems revealed so that the vendors can fix them.
The article begins by proposing a list of security guarantees a password manager should provide and then examines how we those guarantees are met. They look at
- 1Password4
- 1Password7
- Dashlane
- KeePass
- LastPass
all running under Windows 10.
The article doesn’t call out any actions for users other than to use a strong master password. My only experience has been with 1Password and they are diligent about fixing problems that come up. On the other hand, it’s discouraging that version 7 leaked more information than version 4 but they’re undoubtedly aware of this research and I expect they will fix things.
The other caveat is that only the Windows 10 versions were tested but there’s probably little reason to expect that the versions for other operating systems would be much different. Again, even the researchers say that password managers great applications and that you should continue to use one.