Password managers may not be as secure as you think
Password managers are often pitched as a convenient way to secure online accounts. Their main appeal is that they can generate and store very complex, distinct passwords -- that would normally be virtually impossible for the average person to memorize (or for someone to crack) -- and the user only has to remember a master password -- that encrypts them -- to access those credentials.
But, for password managers to be truly effective, they have to be secure in the first place. And that may be a problem, according to a new report by TeamSIK, which found serious vulnerabilities in many of the popular options available on Android, including LastPass, Dashlane, and 1Password.
"Applications vendors advertise their password manager applications as 'bank-level' or 'military-grade' secure," says TeamSIK, which also looked at Mypasswords, Informaticore, Keeper, F-Secure Key, Hide Pictures Keep Safe Vault and Avast Passwords, on top of the aforementioned password managers.
"In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count. The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users' confidence and expose them to high risks," the security researchers write in the report.
TeamSIK found at least one vulnerability in each of the tested password managers, with Informaticore and Hide Pictures Keep Safe Vault scoring best in this regard. Avast Passwords had six vulnerabilities, followed by 1Password with five, Dashlane with four, LastPass and MyPasswords with three each, and Keeper with two.
"Some applications stored the entered master password in plaintext or implemented hard-coded crypto keys in the program code. [...] In other cases, we could simply access all 'securely protected passwords/credentials' with the help of an additional app. [...] Furthermore, many of the apps completely ignore the problem of clipboard sniffing, meaning that there is no cleanup of the clipboard after credentials have been copied into it. [...] We found that, for example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using 'hidden phishing' attacks," TeamSIK notes.
All the vendors were informed of the uncovered vulnerabilities in their password managers, and according to TeamSIK all are now patched. But we have to keep in mind that many password managers are available on other platforms as well, and there is no telling how secure those clients are.
You might be reading this thinking that you should avoid using a password manager, but, from my point of view, the pros outweigh the cons. It is easy to get lazy and set up weak passwords for important accounts, and then reuse those passwords. That's a recipe for disaster, as major hacks prove. Realistically speaking, it is much easier to install an update that fixes bugs than change dozens of passwords every once in a while and remember them all.