Independent Security Audit of Top 8 Password Managers Reveals Alarming Memory Handling Flaws

A comprehensive independent audit commissioned by the Open Source Security Foundation found that 6 of 8 major password managers—including two market leaders—retain decrypted password vault contents in process memory for longer than necessary, exposing credentials to memory scraping attacks.

The Open Source Security Foundation (OpenSSF), in partnership with security firm NCC Group, has published results of a comprehensive independent security audit covering eight of the most widely-used password managers. The audit uncovered concerning patterns in how multiple products handle sensitive data in memory—a class of vulnerability that could expose decrypted passwords to sophisticated attackers with local system access.

Audit Scope

The eight password managers evaluated were: Bitwarden, 1Password, LastPass, Dashlane, KeePass, Keeper, NordPass, and RoboForm. The audit covered desktop clients for Windows and macOS, mobile apps for iOS and Android, and browser extensions for Chrome and Firefox. NCC Group conducted source code review (for open-source products), binary analysis, and runtime memory inspection.

Key Finding: Memory Retention of Sensitive Data

Six of eight password managers retain decrypted vault contents in process memory significantly longer than their documented auto-lock behavior would suggest, and in some cases, indefinitely until application restart.

Specifically, the audit found:

Two market-leading products (unnamed pending patch deployment) kept full plaintext vault contents in heap memory even after the vault was locked

Four additional products retained individual decrypted passwords in memory for 30 to 900 seconds after the user accessed them

An attacker or malware with the ability to read process memory could extract all stored passwords without knowing the master password.

Positive Findings

Bitwarden and KeePass received the highest marks overall. Bitwarden's memory handling was rated best in class, with aggressive secret clearing after use and proper SecureString usage. KeePass's open-source nature allowed complete code verification.

Vendor Responses

All six affected vendors were notified 90 days before publication. Four have released patches addressing the most severe findings. Two are still in remediation with patches expected in Q1 2025.

Recommendations for Users

Enable application memory protection features if available. Use the system keychain where available for storing the master password. Avoid running untrusted software on systems where password managers are actively in use. Consider open-source and independently audited password managers as a selection criterion.