Researchers at the University of York tested 5 popular password managers and found all 5 were vulnerable to cyberattacks. Vulnerabilities include inability to distinguish between a genuine app and a malicious copy, as well as brute force attacks and clipboard stealing.
Password Managers Tested
A team of researchers from the University of York, decided to retest 5 password managers, namely Dashlane, LastPass, Keeper, 1Password and RoboForm. These password managers were chosen for retesting as they are amongst the most popular.
Issues were discovered with these 5 password managers back in 2017. Sometime later, the researchers contacted the vendors to disclose the discovered vulnerabilities. However, only a few vendors rolled out a fix as the issues were seen to be of low priority.
Why Use Password Managers
Password managers allow users to store all their credentials for their various online services and applications in a single location. Thus, users only need to remember the password manager’s master password rather than every single password to the various applications.
Furthermore, password managers, also known as vaults, require users to create strong, unique credentials for each of their online applications. However, it makes no difference how strong or unique credentials are if the password manager itself is vulnerable to cyberattack.
In a report published this month, the research team detail the vulnerabilities discovered in the 5 above-mentioned password managers.
The first and most important vulnerability discovered relates to password managers using weak matching criteria. This allows malicious apps impersonating genuine apps to trick the password manager into disclosing the password for the respective application. This flaw impacts both 1Password and LastPass.
Researchers created a fake Google login screen designed to look exactly like the official one. The weak matching employed by 1Password and LastPass “means that when the malicious app is launched, LastPass will offer to autofill the login page with Google credentials stored in a user’s vault,” the researchers explained.
Brute Force Attacks
The password managers Keeper, Dashlane and 1Password were found to be vulnerable to brute force attacks. This is because these 3 password managers do not set a limit on the number of login attempts a user may have to enter the master password. None of the 5 password managers kept track of the number of incorrect login attempts. However, RoboForm and LastPass, have measures in place to slow down possible brute force attacks.
Brute force attacks involve an attacker submitting many passwords in the hope of eventually guessing correctly.
The last vulnerability discovered by the researchers is clipboard stealing. All password managers, except for 1Password, did not provide enough protection for credentials copied to the clipboard. On Windows 10, for example, credentials could be pasted as clear text from the clipboard even if the computer is locked.
Notwithstanding the above-mentioned vulnerabilities, the University of York’s research team still stress the importance of using password managers.
“It’s good to keep in mind that password managers are still the best way to manage passwords so that consumers always have a different, strong password, for each account. As cybercriminals use phishing, hacking, and brute force attacks and other techniques to steal passwords, it is mandatory that consumers have a different password for every account, limiting their exposure to the ongoing wave of data breaches.”