Thank you for bringing this ISE report to our attention. We do not currently do independent security testing for our system. However, we do do internal testing and have also used security consultants in the past as well. I've asked others here to go over the report and provide information on how fair and our overall memory management. However, please note that this will take us sometime to go over. Please also note though that as 1Password, Dashlane, KeePass, and LastPass, we believe that if you are running on a system so compromised that third party apps are collecting memory dumps, you have a lot more issues to worry about than our existing or non-existing memory leaks.
I always wished mSecure would do a third party security audit from a reputable company.
It might be expensive but definitely would give peace of mind to your users. Also if any vulnerability was to be detected it would be fixed.
I am not sure if you would do an audit anytime.
You can find the report linked here:
In brief, the report draws concern over security lapses found within several password keepers.
There was some form of response by the developers which you may find interesting:
I can appreciate the amount of time dedicated to such a project. I'm unsure about the motive for such a report, but I'm not sure that matters now. The results were published with the stated objective to emphasize the need for best practices.
I don't want to assume, but I would like to think mSecure is already aware of these articles. I hope that mSecure has no flaws that would expose passwords in clear text in memory, but I think it would benefit the community of security-minded folks to know if you are having forensic testing conducted independently to assess the product. Or at the very least do so in privacy and make extensive corrections before someone combing through ram dumps is able to locate a flaw.
On a personal note, I had just installed for the first time, the mSecure for Windows 10 application. I had always used it on less vulnerable platforms. By less vulnerable I mean, offline and controlled LAN environments. This article served as a reminder to me that without validation from independent sources, we the home consumer are left to the claims of any developer until proven otherwise. I am very supportive of these products, also security and encryption in general. I also have been an mSecure customer for a long time. I would love to see it survive any sort of scrutiny like in the articles above. I have seen some pretty nasty malware do some very specific deep dives for information, let us hope password managers do not fall victim to any sort of compromise. I also believe pen testing and standardization is a good thing and I'm hoping mSecure is ahead of the curve. Would love to see them respond to this report, even if they were not a subject, yet.