Some commercial password managers can be fooled into disclosing user passwords, researchers warn

Such password managers use weak criteria to find out whether an app is genuine or not

Some commercial password managers may be vulnerable to cyber attacks by fake apps, a new study by researchers at the University of York suggests.

As cyber threats become more sophisticated, security experts are recommending internet users to use complex and random passwords for every account they have on various websites and apps.

But, remembering all those passwords is a challenging task for users. That's where password managers help. They eliminate the need to remember dozens of passwords by storing all of them at one place, and also suggest strong passwords to users when they sign up to an online service.

The encrypted vaults of password managers, which store credentials for the user, can be accessed only via a single master password (PIN).

However, serious problems may arise if even password managers become vulnerable to malicious attacks.

In the current study [PDF], the researchers at the University of York tested five password managers and were able to fool two of them into revealing a password.

According to researchers, those password managers used weak criteria to find out whether an app is genuine or not.

The researchers created a malicious app that impersonated a legitimate Google app and enabled the researchers to extract credentials for the user passwords.

They also found that some password managers did not set a limit on the number of login attempts for an account, which made them vulnerable to a brute force attack. Others were vulnerable to clipboard stealing as well as some old flaws.

The password managers used in this study are LastPass, Dashlane, Keeper, RoboForm, and 1Password, all of which are highly popular among internet users.

The researchers had previously tested the same products in 2018 on Windows 10 Enterprise, Android 7.0 and Chrome 59. They were now re-tested against old and known flaws. Unfortunately, the research team found some of the app still being vulnerable to more than 50 per cent of the previously disclosed flaws.

Commenting on the issue, Robert Capps, vice president at NuData Security, a Mastercard company, said: "Security research like this, that finds potential vulnerabilities, is critical to making businesses and consumers safer by allowing potential weaknesses to be addressed in a responsible way, before they can be exploited."

"It's good to keep in mind that password managers are still the best way to manage passwords so that consumers always have a different, strong password, for each account. As cybercriminals use phishing, hacking, and brute force attacks and other techniques to steal passwords, it is mandatory that consumers have a different password for every account, limiting their exposure to the ongoing wave of data breaches."

"Passwords managers help consumers keep track of their strong, unique passwords in a user-friendly way, and help to prevent them from inadvertently disclosing their passwords to a fraud Phishing scheme. For those accounts that allow it, end users should activate two-factor authentication for further security."

"Luckily, companies are moving away from using only a username and password for authentication, opting to add more layers that include behavioral analytics and passive biometrics, so that vulnerabilities like this one thwart future fraud. If a user has the correct password but is behaving suspiciously, these technologies can be stopped it before any fraud happens."