Password managers help you create complex and unique passwords for every application, service, and website but how secure are password managers? Could a password manager actually weaken security? According to a study conducted by researchers at the University of York, password managers are not totally secure. Vulnerabilities in password managers have been found that could potentially be exploited by cybercriminals to gain access to a user’s password vault.
19 password managers were considered for the study, with five popular password managers chosen for analysis: LastPass, Keeper, Dashlane, 1Password, and RoboForm. Four new vulnerabilities were identified by the researchers. A vulnerability was identified in 1Password and LastPass Android that was due to weak matching criteria for suggesting stored credentials by the autofill function, which made both vulnerable to phishing attacks.
In both cases, the autofill suggested passwords based on the app’s purported package name. That means that if an individual is tricked into installing a malicious app that presented itself as a legitimate app, the password manager would suggest the password of the legitimate app, thus disclosing it to the malicious application.
A vulnerability was identified in RoboForm and Dashlane which made the Android applications susceptible to PIN brute force attacks. There was no limiting on the number of failed password attempts before access was temporarily blocked, so an attacker could potentially brute force the master PIN and gain access to a user’s password vault.
Since users typically use dates of birth and other common numbers as their master PIN, even manual attempts to brute force the password could result in access being gained relatively quickly. Based on their study, the researchers suggest that a manual brute force attack would only take around 2.5 hours before the PIN was guessed and the password vault was unlocked.
The researchers also tested the password managers against six previously disclosed vulnerabilities and discovered all were vulnerable to Ignoring Subdomains and HTTP(S) Autofill exploits, and all but one of the password managers under test were susceptible to URL mismatch.
While password managers are not totally secure, the researchers still recommend businesses use password managers rather than having users try to remember all their passwords, as it will inevitably result in the setting of weak passwords or password reuse, which poses an even greater risk.