New Threat: Research on Limitations of Password Managers

by | Apr 9, 2020 | Cyber Security, Password Managers, Threat Watch - The Latest Attacks

Password managers can be easily accessed or hacked

WHAT’S AT RISK 

Login credentials stored with password managers can be easily accessed or hacked

WHAT IS IT

A research team at the University of York has exposed severe flaws in nearly half of the password managers it tested. The researchers created a malicious app mimicking a legitimate Google app and presented it to various password managers to see if they would fall for the lookalike and present the user’s password. The app managed to trick 40% of the password managers into presenting the password.

ADDITIONAL READING

WHY IS IT OCCURING

The weak links in password managers are the security of the master password which controls access to all of the passwords stored in the manager, and the password manager’s ability to detect whether or not an application was a legitimate one to display a password for.

If there is no limit to the number of attempts allowed on the master password, then hackers can use software to brute force your password.  One of the advantages of a password manager is its ease and intuitive use, but it may be forgiving and accept attempts of illegitimate websites that resemble legitimate ones seeking access to passwords.

WHAT IS THE IMPACT

As the number of applications users interact with continue to grow, and the need for stronger password security increasingly evident, users are turning to password managers to maintain their login credentials across applications.  At the same time, password managers are becoming a larger target for hackers. If a user’s password manager is revealed, hackers have access to the user’s password across applications and accounts, such as financial services, communications, and personal content.

HAVOC SHIELD’S SOLUTION

There is a place for password managers. However, users need to ensure that they include a feature that limits the number of attempts allowed on the main password so that the main password cannot be brute forced in a few hours.  Also, they need to be vigilant that they are downloading legitimate applications and accessing legitimate websites so that the password manager does not present passwords to illegitimate websites and applications.