Is Your Password Manager’s Promise of “Military-Grade” Security Actually True?
Every year, we share reports of people sticking with passwords like “123456” or “p@ssword” making it clear that remembering passwords isn’t an easy task. While we may focus on the importance of complex passwords or two-factor authentication to avoid account intrusion, the entire login process is still a mess, to say the least. Which is why many people trust password managers to store all their passwords cryptographically secure. But what happens when these password management apps become vulnerable to security flaws?
Password manager security is “extremely worrying”
Earlier today, we shared reports of a popular antivirus program for macOS being vulnerable to a security vulnerability. While the flaw is now patched, it showed how the services we trust to keep us safe can lead to more security troubles. This, in no way, means that we should say goodbye to password managers or antivirus programs, it is a stark truth that internet security is getting worse by the day.
A new report published today reveals that some of the most popular password managers are affected by serious vulnerabilities exposing their user details. Security experts from TeamSIK of the Fraunhofer Institute for Secure Information Technology in Germany, have analyzed nine Android password managers, revealing that each of them had at least one low, medium or high severity vulnerability.
“Applications vendors advertise their password manager applications as “bank-level” or “military-grade” secure,” the security team wrote. However, the team found that the overall results of their analysis were “extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users’ confidence and expose them to high risks.”
The research focused on LastPass, My Passwords, Informaticore’s Password Manager, Keeper, F-Secure KEY, Dashlane Password Manager, Keepsafe, Avast Passwords, and 1Password – each of which has 100,000 to 50 million installs. TeamSIK discovered a total of 26 issues, many of which were patched by vendors within a month after the security researchers reported the issues. Avast has yet to patch all the flaws, though.
No need of root permissions for successful attacks
The security team said that some of these analyzed applications stored the master password in plaintext or implemented hard-coded crypto keys in the code. In the case of Informaticore’s Password Manager, the app stored the master password in an encrypted form. However, the encryption key was found in the app’s code, remaining same for all installations. LastPass also had a similar vulnerability, which has now been patched.
“In other cases, we could simply access all ‘securely protected passwords/credentials’ with the help of an additional app,” the team said. “Once installed on the device, this malicious app extracts all passwords/credentials in plaintext and sends them to the attacker.”
In a third of these easily exploitable security flaws, researchers discovered that some of these apps are vulnerable to data residue attacks and clipboard sniffing, meaning that the clipboard is not cleaned after credentials have been copied. “In most of the cases, no root permissions were required for a successful attack that gave us access to sensitive information such as the aforementioned master password.”
The latest analysis into password manager security also revealed that the add-on features that some of these apps offer for convenience can actually lead to more data exposure. “For example, auto-fill functions for applications could be abused to steal the stored secrets from the password manager application using ‘hidden phishing’ attacks.”
While definitely worrying, password managers do add to the security more than the risks that are associated with them. Many of these popular apps are routinely updated and researchers keep trying to find flaws to help remove any vulnerabilities. So, let’s not try to take this as an excuse to go back to “123456”.
Details of now-patched vulnerabilities that reveal the truth about password manager security can be accessed here.