17 July 2014

Researchers have recently identified a number of security holes in five different password manager products, used by millions of people to store and remember their online passwords.

The vulnerabilities were critical, meaning your credentials could (theoretically) be stolen.

The affected password managers included RoboForm, LastPass, My1Login, PasswordBox and NeedMyPassword.

Password managers are software tools that help you remember and manage the myriad of logon and personal information you use online. They can be extremely helpful in ensuring your password is strong and unique for every site and of course remember passwords for you. Many password managers also store other personal or financial information that can be input automatically for you on websites you visit.

The companies involved have been notified of the vulnerabilities by the researcher and all (except NeedMyPassword at time of writing) have confirmed publicly that the issues were fixed.

It should be emphasised that although some of these vulnerabilities may have existed for a number of months, they were only discovered in a research environment and were disclosed responsibly by the researchers (first to the affected companies and only made public after that).

There is no evidence to suggest they have been targeted by attackers or exploited. None of the companies involved have advised their customers to take action, but if you use one of these services, you may consider changing your master password as a precaution.

Using password managers

For many people the simplicity, convenience and value of password managers justifies their use.

Password managers centralise all your security information into one system. This has many associated benefits, but it also creates risks. In particular, it creates potential for what is known as a single point of failure. If the password manager is hacked, all of your other systems are also exposed.

For most users the benefits of having to remember just one password outweigh the risk, or any threat to date, but the vulnerabilities mentioned in this alert highlight why it is important for each individual to make this decision based on their own circumstances and security requirements.

Situations also change. While you might be comfortable using password managers now, in the future this may not be the case. It is important to stay informed about the services and products you use.

For some people, no risk is acceptable.

More information

Ars Technica provides a more technical discussion of the issue.

The researchers’ paper detailing the issues (PDF).

(Please note that clicking on this link may prompt your computer to remind you that opening 'some files can contain viruses or otherwise be harmful to your computer'. This is simply a reminder to be certain that links you click on are from trustworthy sources, which the Stay Smart Online Alert Service is).

The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.


Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.


This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.

This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.

The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.

Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.

Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.


Facebook: www.facebook.com/staysmartonline
Email: staysmartonline [at] communications.gov.au
Web: www.staysmartonline.gov.au
You are receiving this message at the address [Email].
Update your profile preferences
If you no longer wish to receive this information, you can unsubscribe.

© 2013 Australian Government. All rights reserved

Connect with Stay Smart Online