A report by a group called Independent Security Evaluators was published today, which claims that 1Password 7 for Windows is failing to implement basic secure memory management controls. The report is available here.
In short, the findings are that (1) when unlocked, 1Password keeps in memory, unencrypted, every item in its database (i.e., all passwords are loaded into memory, rather than just the password for the item you are viewing); and (2) when transitioning from an unlocked to a locked state, 1Password fails to clear from memory the Master Password, Secret Key, and the decrypted items.
The researchers claim to have developed a tool that is able to read, without any administrative permissions whatsoever, the memory that is allocated to 1Password to extract all of these items, with the only requirement being that 1Password had at some point during the session been running and unlocked (even if it had since been locked).
With a closed-source password manager such as 1Password, customers place a tremendous amount of trust in the developers to ensure that the security best-practices are baked into the SDCL -- more so than with any other product, save for (perhaps) an OS. The findings that were announced today, if true, cannot but put a dent in that trust. Customers deserve a thorough response from the 1Password team.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided