Connect with us

Hi, what are you looking for?



Hardware-based Password Managers Store Credentials in Plaintext

A security researcher has analyzed three hardware-based password vaults and discovered that credentials are stored in plaintext and survive hardware resets. 

A security researcher has analyzed three hardware-based password vaults and discovered that credentials are stored in plaintext and survive hardware resets. 

The investigation into these three standalone password managers has revealed that, through hardware hacking, it is possible to read data directly from the chips on the board, security researcher Phil Eveleigh explains. 

Eveleigh tested RecZone Password Safe, passwordsFAST, and Royal Vault Password Keeper devices. A passcode is used to secure these devices, and users are also provided with the ability to add in the URL, username, and password for each site. 

“However one thing I did find consistent across all devices is the keyboard is hard to use and doesn’t encourage strong, complicated passwords,” the researcher explains. 

The analysis, Eveleigh says, starts with adding data to the device, then removing the device’s case to access the board and inspect it. 

The RecZone device has a basic board and uses an 8-pin flash chip to store data. The researcher was able to power the device’s chip through a Raspberry Pi and discovered that, once connected, the Pi could read the data on it and that the data was stored in plain text. 

Furthermore, he discovered that, even after resetting the device, the data was still present on the chip. The master 4 digit pin set after the reset was also present on the device, also in plaintext. 

Advertisement. Scroll to continue reading.

“What this means is if a user presses the reset button and sells the device, all of their passwords can still be read in plain text directly off the chip,” the researcher notes. 

Eveleigh says he contacted the manufacturer to inform them on the vulnerability, but did not receive a response. 

passwordsFAST requires a specific debugger and software to read the firmware from the chip, doesn’t support JTAG and doesn’t have a built in AES encryption module. 

The researcher was able to power it via the Raspberry Pi and discovered that the data was stored encrypted, apparently using a different encryption key for each device. 

To access the data, one would need to dump the firmware of the MCU and analyze the manner in which the information is being processed, or to try cryptoanalysis on the encrypted data, both techniques believed to be rather difficult to perform.

“There are some similarities between the two devices so far, they both use flash to store the data which means that the data can be read from both of them with basic cheap equipment,” the researcher notes. 

Royal’s Vault Password Keeper uses two boards, one with a SPI flash on it, which was found empty, and another with CMOS flash, which requires a universal programmer is required to read the chip.

What the researcher discovered was that the CMOS flash chip contained data from multiple users, suggesting the device was repurposed several times. 

While the data was held encrypted, the researcher identified the master pin within the data and then was able to decrypt the data by discovering encryption patterns. 

“This opens the device up to exploitation, where all the data off any of the devices can be decoded. We reached out to Royal to inform them of this security vulnerability, however they did not respond,” Eveleigh says. 

Related: Google’s USB-C Titan Security Key Arrives in the U.S.

Related: 1Password Raises $200 Million in Series A Funding

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.