Password managers aren't all they're cracked up to be. Here's why
Password managers and the data they protect can be vulnerable to hackers or human error Image: REUTERS/Kacper Pempel
For people who struggle to remember complex passwords or those who work at companies where the IT departments mandate password changes on a set schedule, password managers are lifesavers.
Those tools work by requiring you only to remember one master password; the password manager then gives you access to all sites associated with the account connected to the master password.
Furthermore, many of these tools allow you to store payment information and even let other parties access it on a short-term basis — such as allowing your daughter to buy a book she needs for school.
Password managers are undoubtedly convenient, but they are not foolproof. And that means we need to take a deeper look at their vulnerabilities.
Users who consider using password managers typically only think about their positive aspects. But a recent report from US security consultancy Independent Security Evaluators found that certain kinds of malware can expose the user data kept by numerous well-known password managers - and most of the risks exist while the tools are in locked, running states.
The researchers involved in this study say they don't know how aware cybercriminals are of the flaws they uncovered. Nevertheless they recommend that users take a few precautions:
· Choose a strong master password
· Keep their operating system and apps updated
· Install antivirus scanners with malware detectors
It's crucial not to assume that infiltrations of password manager software are only either theoretical events or those conducted by cybersecurity researchers in their labs. In May 2017, password manager OneLogin was hacked. The company confirmed the attack potentially gave the cybercriminals access to all its US customers’ data, and that those to blame may have been able to decrypt encrypted data.
Popular password manager LastPass was also hacked in 2015. The company noticed the issue after detecting strange activity on its servers. Although the hackers stole information including email addresses and password reminders, the company noted it used an encryption method called "slow hashing" that kept its users’ password data safe.
A few years ago, a Google researcher alerted LastPass to another issue related to the application’s browser plugins. The problem could reportedly allow a hacker to execute malicious code or steal passwords. Fortunately, LastPass fixed it before any real-world cases occurred.
It’s not just hackers that pose a risk to password manager users’ data. In one recent instance that affected millions of users, a server issue at a password manager called Blur left encrypted passwords, names and email addresses exposed.
In another recent example, a 16-month-old bug associated with the Keeper password manager allegedly didn't keep passwords protected. The Google researcher who identified the flaw said it would enable any website to steal passwords stored in Keeper. Even worse, the password manager came bundled on some Windows computers.
Amid much controversy, Keeper filed a lawsuit against the journalist who covered the story, as well as the associated website — Ars Technica — and its publisher. Keeper asserted that the report had contained false statements.
But the company appears to have learned its lesson, too. After that incident, Keeper launched a vulnerability disclosure programme in partnership with Bugcrowd, a crowdsourced cybersecurity platform. This programme is a step in the right direction, but some critics have pointed out that people may become more reluctant to speak up about the bugs as a result of the legal fallout following the report on Keeper’s alleged vulnerability.
In these cases, system or tool-related problems made the password managers less than secure. If providers don't take precautions - if they fail to test their software and take bug reports seriously - issues could arise even without the influence of hackers.
Users have a responsibility to interact with password managers sensibly, too. As mentioned earlier, that starts with picking a smart master password. You should not choose master passwords that are easy to guess and make hackers' attempts more straightforward. Cybercriminals can crack a short, weak password in 10 to 15 seconds.
It's even simpler for them when you choose passwords based on the names of pets or children, repeated dictionary words or a combination of information that anyone could research, such as someone's initials followed by their birthday.
People have differing opinions about the worthiness of password managers. Some believe it's better for you to have one than not, while others wh opoint out the various ways a hacker could break into a password manager say that the best password manager is your memory. If you choose to use a password manager, picking a unique and hard-to-guess master password is essential.
Last year, Virginia Tech teamed up with Dashlane, a popular password manager brand, to analyze more tan 61 million passwords - and they uncovered some troubling findings. The researchers found password reuse and modification patterns among users that made their passwords startlingly insecure. The research indicated it was possible to crack 16 million password pairs in only 10 guesses made by a password algorithm.
The research also highlighted how people like to use a technique called password walking where they create passwords from letters adjacent to each other on the keyboard. Others chose passwords based on non-private information such as brand names or sports teams.
Sometimes, hacking takes place unintentionally. A fascinating finding by researchers from the University of Helsinki and Aalto University, both in Finland, showed that something called the inter-process communication (IPC) channel, which deals with software processes related to shared computers, may not always remain secure. It confirmed that several security-critical applications — including password managers — did not protect the IPC.
As such, the user processes occurring on a shared machine could reveal another user’s private credentials due to the insecure nature of the IPC. The researchers also mentioned that IPC is something developers often overlook and don't understand.
Using a password manager is not necessarily foolish, and it's probably a more secure approach than not using one. However, it's crucial to stay in touch with your password manager provider to get news of any possible issues, as well as to keep the software updated. Beyond that, choose your master password carefully and don't reuse passwords — especially after hearing about breaches that may affect you.
Password managers are handy, but they should not make you assume the data they protect is invincible to clever attacks by hackers and other data security threats.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Digital Communications
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.
More on CybersecuritySee all
Kate Whiting
December 12, 2024