Security researchers: Password managers suffer from insecure memory management

Security researchers at ISE discovered that many popular password managers do not have secure memory management. Software like 1Password, KeePass, LastPass, and Dashline all contain memory management vulnerabilities that could allow malware to steal the master password or individual passwords stored by applications.

As such, ISE notes that using these password managers isn't a whole lot safer than storing your passwords in an unsecured flat text file:

Password managers allow the storage and retrieval of sensitive information from an encrypted database. Users rely on them to provide better security guarantees against trivial exfiltration than alternative ways of storing passwords, such as an unsecured flat text file. In this paper we propose security guarantees password managers should offer and examine the underlying workings of five popular password managers targeting the Windows 10 platform: 1Password 7 [1], 1Password 4 [1], Dashlane [2], KeePass [3], and LastPass [4]. We anticipated that password managers would employ basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitization of memory once a password manager was logged out and placed into a locked state. However, we found that in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases, exposing up to 60 million users that use the password managers in this study to secrets retrieval from an assumed secure locked state.