9 Popular Password Manager Apps Found Leaking Your Secrets

Discussion in 'Chit Chat' started by CHEF-KOCH, Mar 3, 2017.

  1. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    941
    879
    30
    Is anything safe? It's 2017, and the likely answer is NO.

    [h=4]MyPasswords[/h]

    • Read Private Data of My Passwords App
    • Master Password Decryption of My Passwords App
    • Free Premium Features Unlock for My Passwords


    [h=4]1Password – Password Manager[/h]

    • Subdomain Password Leakage in 1Password Internal Browser
    • HTTPS downgrade to HTTP URL by default in 1Password Internal Browser
    • Titles and URLs Not Encrypted in 1Password Database
    • Read Private Data From App Folder in 1Password Manager
    • Privacy Issue, Information Leaked to Vendor 1Password Manager


    [h=4]LastPass Password Manager[/h]

    • Hardcoded Master Key in LastPass Password Manager
    • Privacy, Data leakage in LastPass Browser Search
    • Read Private Data (Stored Master password) from LastPass Password Manager


    [h=4]Informaticore Password Manager[/h]

    • Insecure Credential Storage in Microsoft Password Manager


    [h=4]Keeper Password Manager[/h]

    • Keeper Password Manager Security Question Bypass
    • Keeper Password Manager Data Injection without Master Password


    [h=4]Dashlane Password Manager[/h]

    • Read Private Data From App Folder in Dashlane Password Manager
    • Google Search Information Leakage in Dashlane Password Manager Browser
    • Residue Attack Extracting Master Password From Dashlane Password Manager
    • Subdomain Password Leakage in Internal Dashlane Password Manager Browser


    [h=4]F-Secure KEY Password Manager[/h]

    • F-Secure KEY Password Manager Insecure Credential Storage


    [h=4]Hide Pictures Keepsafe Vault[/h]

    • Keepsafe Plaintext Password Storage


    [h=4]Avast Passwords[/h]

    • App Password Stealing from Avast Password Manager
    • Insecure Default URLs for Popular Sites in Avast Password Manager
    • Broken Secure Communication Implementation in Avast Password Manager

    Good thing is most of the applications already got an update! :sneaky:
     
  2. lobo11

    lobo11 TOMAHAWK CHOP

    Feb 16, 2012
    6,375
    4,040
    210
    I use Roboform, is that safe:confused:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    2,841
    2,910
    90
    @CK I think that nobody are safe dude :mushy: still I don't remember who I used when MDL suffer attack but remember that I follow Daz instructions so I'm sure I'm secure :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    941
    879
    30
    KeePass is secure. :mushy:
     
  5. jayblok

    jayblok MDL Guru

    Dec 26, 2010
    3,142
    2,460
    120
    I keep my passwords in my little book :rolleyes:
    [​IMG]
     
  6. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    941
    879
    30
  7. Katzenfreund

    Katzenfreund MDL Expert

    Jul 15, 2016
    1,372
    804
    60
    Everybody should know by now that one should be suspicious of anything on the web. [​IMG]

    So I'd say it serves right those who trust their passwords to an app written by someone else.

    Yet, the answer is simple. Just make a word document protected by one password you can remember. Put all your passwords in that document.

    For convenience, you can tick being kept logged in on boards.
    [​IMG]
     
  8. lostpassword

    lostpassword MDL Member

    Nov 21, 2009
    198
    14
    10
    Agree 100% - I use an Excel Document, as I find it easier to use, obviously password protected. I also create an encrypted RAR file containing the protected Excel File with a longer password, and send that to my GMAIL account. Might have to use a different extension. I have read that a password protected WORD/EXCEL file can be cracked in seconds by an expert, but a long password protected encrypted RAR file is more secure. Would be interested if one of the experts would give their opinion.
     
  9. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    941
    879
    30
  10. Katzenfreund

    Katzenfreund MDL Expert

    Jul 15, 2016
    1,372
    804
    60
    From what I know, passwords of old Office editions up to 2003 can be cracked. But the 128 bit key protection of later editions is secure. Provided of course you don’t use trivial passwords.
     
  11. JFKI

    JFKI MDL Expert

    Oct 25, 2015
    1,098
    369
    60
  12. Tiger-1

    Tiger-1 MDL Guru

    Oct 18, 2014
    2,841
    2,910
    90
    yep CK this application seem very good, thanks for the heads up :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Katzenfreund

    Katzenfreund MDL Expert

    Jul 15, 2016
    1,372
    804
    60
    Enlightening article, thanks, though I was not talking about protection from the NSA, FBI & Co, who have the most sophisticated means at their disposal.

    If fact, I’ve always maintained that there’s no full security on the web, you can’t stop all monitoring, and the harder you try to disguise yourself, e.g. by using proxies, the more likely you’ll attract the attention of these people. All you can do is wear a tin hat.
    I’ve always maintained the above, e.g. here;
    https://forums.mydigitallife.net/th...ing-in-Win10?p=1320737&viewfull=1#post1320737
    Your article supports my positions.

    But here I was referring to individual hackers cracking your password specifically in word and excel. And unless you’re marked as a national security threat, you should be safe with newer Office editions. In fact, I even contend you should be safer than using any password managing app written by someone else.
     
  14. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,365
    1,265
    90
    Don't need an app to keep my passwords!
    Just use 123456 on everything!!!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,365
    1,265
    90
    On a more serious note, Like Jayblok I use a book to keep my passwords
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Katzenfreund

    Katzenfreund MDL Expert

    Jul 15, 2016
    1,372
    804
    60
    Using a book may not protect against a burglar stealing computer and book, unless the book is well hidden elsewhere, in which case it's inconvenient to use by the owner himself.
     
  17. JFKI

    JFKI MDL Expert

    Oct 25, 2015
    1,098
    369
    60
    Think about what you said above.

    Many of the 3 letter agencies "geniuses" who figured out how to crack that encryption have been "rescued" from prison terms.
    If those people figured it out, who is to say that someone who is smart enough to avoid capture can't ?

    In fact considering all the so called leaks and hacks in the past few years I posit that they already have. ;)
     
  18. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    3,531
    3,743
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. dhjohns

    dhjohns MDL Guru

    Sep 5, 2013
    3,218
    1,646
    120
    Never, ever use a password manager. Find ONE password you like, and stick to it. If you can't remember it tape it to the back of your keyboard. I am completely serious. I have two passwords. That is it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    2,365
    1,265
    90
    Wrong Wrong Wrong Wrong Wrong Wrong

    How are you ever going to find your password taped to the back of your keyboard?....You must tape it on the front
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...