How to find passwords in memory (password managers)

First off I used google academic to find papers about LastPass, password managers and memory forensics. It was the last one I found to be more helpful

Amari, K. (2009) Techniques and Tools for Recovering and Analysing Data from Volatile Memory.

After gaining an understanding memory extracting and analysis I created a windows 7 virtual machine with 2 GB of RAM, installed some browsers made a few accounts on various websites, installed LastPass, restarted the machine and captured a memory dump using DUMPIT (Search DUMP IT Memory dump). I analyzed the memory dump using SIFT Workstation, in the terminal I used the command

strings windows7.raw | grep “password” > output.txt 

Swapping "password" for email addresses, known passwords of the fake accounts, website names etc.. I found nothing, so the memory was clean.

I then logged into LastPass and took another memory dump using the same tool. Analyzing this file highlighted a bunch of hashed values, which confirmed what LastPass says on its site - LastPass stores encrypted hash values in memory.

Next I decided to log into websites and accounts but not all of them just a random number of them and took another memory dump. Using the same methods as before I found decrypted passwords, email address and other information this means that when you visit a website that LastPass has a password for, it decrypt's it and stores in the memory for your browser to use. I should also state that even if you don’t use LastPass and instead use a browser(s) built in password managers you will get the same results.

So you might say that I needed to know the password in the first place, I didn’t as simply searching for “pass” or in the case of google websites “Passwd” in the memory dump gave the passwords.

YouTube password in memory dump

If I do this again I would do all the same steps above however, I would log out the windows account and into another account to see if I can get the the passwords from that memory dump, I suspect you would meaning you can log into a public computer and obtain the previous users passwords from there memory dump.

I would say that LastPass is secure until you log into a website, its very unlikely anyone will be able to decrypted the hashed values. In the end don't use LastPass or any other password on a public computer.


Maybe a simple way to proceed with such research would be to use some of the tools normally dedicated to game cheating by analyzing and directly editing the target software memory content. Search for things like "game memory search cheat" on your favorite search engine, and you should find several of them.

The programs I'm referring to take a snapshot of the target application virtual memory, and then allows you to:

  • Search for specific value (including text value in some case, which should definitely interest you, since it would allow you to search for your password),
  • Compare snapshots taken at different times in order to analyze changes.

The following Google search produces a number of academic papers.

inurl:\.edu\/ filetype:pdf password manager

As a test you could run bulk_extractor on a memory image looking for a known username/password combination.