Background : Password Safe (http://www.counterpane.com/passsafe.html) is a free win9x/2000 utility used to keep all your passwords encrypted on hdd using Bruce Schneier's symmetric algorithm blowfish. Version tested : 1.7(1) Vulnerability : Password Safe has an option (I think is default) to "lock password database on minimize and prompt on restore" and is doing a good job, at least this is what I can tell, without source. And looks like is cleaning the memory so there are no username/passwords exposed (this is what you expect from a good designed password utility). However, in some cases the last entered username remains in memory exposed in cleartext. This is happening for example if the user had on the screen the window with "Would you like to set "example_user" as your default username?" This could be also a windows memory management problem, and there is probably a workaround. The second problem (and the first in order of importance) is that you can find cleartext passwords in memory in some cases if you copy the password to clipboard AND minimize Password Safe with both options "Clear the password when minimized" and "Lock password database on minimize and promp on restore" activated. For this is enough to click in a text box like Start/Run before minimizing Password Safe. The clipboard is cleared but apparently windows manage to copy the password in a buffer. Conclusion: most likely the memory management in windows plays a role in all this problems. The most simple way to prevent all this problems is to use a "lock" program that will force an attacker to reboot your computer in order to "get in" (this will not stop the motivated attacker to get the memory content directly, but this is not a technology within the reach of most individuals or organizations). Do not think that if you are prompted for a password in order to access the minimized Password Safe your passwords are really secure. Password Safe is still a good product (as far as I know), but expect a little less protection if your laptop is stolen while Password Safe is running minimized. More details: because I could not find a simple program to search in memory for win2k I had to make all the tests on a fresh win95. I expect to have the same results on win98 and ME. No, I did not run any strange clipboard management program. That's all for today, all the best for everyone Valentin Butanescu.
