The research firm ISE published a study on Feb. 19, 2019 regarding several other desktop password managers and their treatment of data stored in memory when the application is logged out. Keeper’s desktop application is not affected by this threat.
The protection of the user’s Keeper Master Password and the encryption keys used to decrypt their vault must be protected not only from other malicious software on the user’s device but also from internal threats. While it may be difficult to protect against a malicious process which is constantly scanning memory on an app that’s in-use, we believe that protections should be made to ensure that when a user chooses to log out, they are actually logged out.
When Keeper users click on “Logout” from their Keeper Desktop application, we perform an app reboot to ensure that the processes which contained data in memory are completely cleared. This includes the Master Password, 2FA tokens, stored vault data and any encryption keys required to decrypt user data.
Keeper works with 3rd party vulnerability assessment firms to analyze our products and services. We also maintain a public vulnerability disclosure program and private bug bounty program with Bugcrowd.