Keeper Is the Only Password Manager That Protects Against Infostealers

Content originally created and published by Venak Security.

A deep dive into password managers vs. real-world threats

In a world dominated by digital credentials, securing your passwords is a non-negotiable part of cybersecurity. Password managers offer encrypted vaults, secure autofill, and password generation. However, these tools also attract password-stealing malware designed to exfiltrate stored credentials.

Windows 10 and 11 employ memory isolation so that processes run in separate virtual address spaces. However, a standard user process can still access the memory of another user-mode process under certain conditions. This raises concerns that malware (running as a normal user) could read sensitive information (passwords, authentication tokens, etc.) straight from the memory of browsers or password managers.

Windows does not prevent a non-elevated program from reading the memory of another program running under the same user context. The consequence is that sensitive data kept in memory by applications can be targeted by local malware.

This article explores how well leading password managers like NordPass, Proton Pass, 1Password, Last Pass, Bitwarden, Dashlane and Keeper hold up against real-world malware threats.

Keeper Forcefield

Keeper Security has introduced a new product called Keeper Forcefield that closes a critical gap in Windows security by blocking unauthorized memory access to sensitive applications.

Windows allows processes running under the same user to inspect each other’s memory—a well-known weakness that malware exploits to steal passwords, session tokens, and other secrets from browsers and password managers. Forcefield enforces kernel-level memory protection to prevent this, even from non-privileged malware, without impacting usability.

What are password stealers?

A wide array of credential-stealing malware (“infostealers”) and spyware take advantage of this capability to dump process memory or otherwise scrape sensitive user data:

Password stealers are malicious programs that silently harvest saved credentials from browsers and apps. Notorious examples include:

• RedLine Stealer
• Raccoon Stealer
• Vidar
• Lumma Stealer

Password Stealers commonly lift passwords saved in browsers or memory. In many cases, they leverage standard API calls (OpenProcess/ReadProcessMemory) or inject code into running processes to extract credentials. For instance, an infostealer might inject into a browser process to intercept form data or simply dump the memory looking for patterns that match passwords. 

The key point is that user-mode malware does not necessarily need to exploit a software vulnerability to get passwords – it can directly read them from memory if they are present in an accessible process. Session Hijackers stealing web session cookies from memory has become an attractive technique to bypass multi-factor authentication.

These threats may arrive via phishing emails, fake software, or browser vulnerabilities. Once active, they target passwords, cookies, authentication tokens, and even 2FA codes.

Common attack vectors

1. Browser-based password storage

Storing passwords in browsers offers convenience but lacks the encryption and safeguards of dedicated managers. Browser storage is especially vulnerable to keyloggers and Trojans.

2. Phishing and social engineering

Even secure managers can be compromised if users are tricked into revealing their master password. Fake login pages and social engineering are common tactics.

3. Malware and ransomware

Advanced malware targets both browser-stored passwords and vault contents. Some ransomware also seeks to exfiltrate credentials before locking files.

OS design: Process memory isolation (or lack thereof)

Modern operating systems give each process its own memory space, preventing arbitrary reads/writes across processes. In practice, though, Windows treats processes running under the same user account as being in the same trust domain unless additional sandboxing is in place. If a process has the appropriate permissions (which can simply mean it’s running as the same user and integrity level as the target process), it can use Windows APIs to open and read another process’s memory (malware – Can data be stolen from RAM in use – Information Security Stack Exchange) (malware – Can data be stolen from RAM in use – Information Security Stack Exchange). In other words, two processes running as the same logged-in user are generally not hardened against each other – the OS will allow one to OpenProcess on the other and call ReadProcessMemory (or even inject code via WriteProcessMemory) as long as no explicit security boundary (like a different user account or sandbox) is violated (malware – Can data be stolen from RAM in use – Information Security Stack Exchange) (malware – Can data be stolen from RAM in use – Information Security Stack Exchange).

It’s important to note what is considered a security boundary by Microsoft. Windows regards different user accounts and certain sandbox contexts (like AppContainer) as security boundaries, but not the boundary between two processes of the same user by default. A Microsoft Security Response Center document implies that an “unauthorized” process shouldn’t access another process’s data (Microsoft Security Servicing Criteria for Windows) – but in Windows, a process running as the owner user is typically authorized to do exactly that. This is by design: once malicious code runs with your user privileges, it can generally do anything you could do. Some exceptions exist (for example, Protected Processes for anti-malware and system services, or AppContainer isolation used by some apps), but typical user applications like browsers or password managers do not run as protected processes, and their memory isn’t inherently off-limits to other programs running as the same user.

Evaluation methodology

Venak Security simulated attacks using an AI-powered version of Lumma Stealer with enhanced features to extract memory-resident data from browsers and password managers.

The following tests were performed against popular password managers:

• Zero-Knowledge Encryption: No one, not even the vendor, can access your data.
• Client-Side Encryption: Data is encrypted before leaving the device.
• Online Authentication: Vaults are unlocked only after online verification.
• Memory Protection (User-land): Defends against RAM access from other user-mode processes.
• Memory Protection (Kernel-land): Defends against kernel-level memory readers and drivers.
• Browser Extension Protection: Protects against threats targeting browser extensions.

Evaluation tooling

Venak Security evaluated leading password managers against memory scraping attacks. Researchers adapted a POS attack tool, enhanced with AI, to extract credit card numbers from the memory of Windows devices. This “POS Memory Scraper” simulated a real-world threat to understand password manager vulnerabilities and inform security measures.

For the purpose of this evaluation, a credit card was stored in the password manager vault, and the POS memory scraper was used to locate the data in memory.

Evaluation results

Key takeaways

• All solutions provide strong encryption (zero-knowledge and client-side).
• Memory Protection:
  • Keeper with Forcefield blocks both user-land and kernel-land attacks.
  • 1Password blocks basic user-mode readers.
  • All other products failed memory attacks in both native apps and browser based interfaces.
• Browser extension protection:
  • Only Keeper blocks memory readers targeting browser extensions
  • No other product protects against browser extension attacks

Technical test results

NordPass

• Credit card data was extracted easily using the AI POS Scraper.

Proton Pass

• Similar to NordPass, it lacks memory protection and fails all tests.

1Password

• Blocked some user-mode memory readers.
• However, both user-mode and kernel-mode attacks were eventually successful using advanced bypass methods.

LastPass

• Similar to NordPass and Proton Pass, user data is unprotected in the memory.

Bitwarden

• Does not block user-mode memory scrapers; instead, it tries hashing data which makes it harder for extraction but ultimately fails in protecting against memory attack.

Dashlane

• Since Dashlane functions as a web browser extension, users’ data is stored in the browser’s memory. Some browsers utilize sandbox technology, while others, such as Chrome and Edge, do not.

Keeper with Forcefield

• Successfully blocked all attacks, including user-land and kernel-land.
• Protected browser extension memory from data theft, making it the most resilient in tests.

Conclusion

On Windows 10 and 11, a malware running as a standard user can read the memory of other processes owned by that user, unless those processes are specially hardened. This has been confirmed by public CVE research and blog studies, and it’s actively exploited by real-world spyware and infostealers.

Keeper with Forcefield demonstrated exceptional protection by combining:

• Full memory protection
• Browser extension defense
• Online-only vault authentication

These additional layers drastically reduce the risk of compromise from modern password stealers. Regular testing and adopting best-in-class security tools remain critical for individuals and enterprises.

---

Sources:

1. Born’s Tech Blog – Chrome stores passwords in memory in plain text (June 2022), summarizing CyberArk Labs research ( Chrome stores passwords in memory in plain textBorn’s Tech and Windows World ) ( Chrome stores passwords in memory in plain textBorn’s Tech and Windows World ).
2. SpyCloud Labs – Infostealers Bypass New Chrome Security Feature (Oct 2024), noting that before Chrome’s update any app running as the user (including malware) could access Chrome’s cookie data (Infostealer Malware Bypasses Google Chrome App-Bound Encryption | SpyCloud Labs).
3. Security StackExchange – Discussion on stealing data from RAM (2017), confirms that a process running as the same user can read another process’s memory via standard system calls (malware – Can data be stolen from RAM in use – Information Security Stack Exchange) (malware – Can data be stolen from RAM in use – Information Security Stack Exchange).
4. Microsoft MSRC – Windows Security Servicing Criteria (2020) indicating defined security boundaries (process isolation is considered only between unauthorized contexts) (Microsoft Security Servicing Criteria for Windows).
5. SecureWorks – The Growing Threat from Infostealers (2023), mentioning common infostealer malware families like RedLine, Raccoon, Vidar, etc., which steal credentials and data from user systems (The Growing Threat from Infostealers | Secureworks).
6. Sysdig – KeePass CVE-2023-32784 Analysis (June 2023), explaining how a weakness in KeePass allowed cleartext master key extraction from process memory (KeePass CVE-2023-32784: Detection of Processes Memory Dump | Sysdig).
7. SonicWall  – Threat intelligence (May, 2019) TinyPOS a new multi-component POS family actively spreading in the wild.
8. BleepingComputer – KeePass disputes vulnerability… (Feb 2023), includes expert commentary that once malware runs as a user, it can do anything (e.g. steal from any password manager) (KeePass disputes vulnerability allowing stealthy password theft).