A complex, random and unique password for every online account is good advice; but how to remember them all? Hence password managers. Encrypted vaults accessed by a single master password or PIN, they store and autofill credentials for the user and come recommended by the UK’s official National Cyber Security Centre (NCSC).
However, university researchers have shown that some commercial password managers may not be a watertight way to ensure cyber security. After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password. The researchers at York found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.
Senior author of the study, Dr Siamak Shahandashti from the Department of Computer Science at the University of York, said: “Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information. Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.
“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success. In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”
The researchers also found that some password managers did not have a limit on the number of times a master PIN or password could be entered. This means that if hackers had access to an individual’s device they could launch a “brute force” attack, guessing a four digit PIN in around 2.5 hours. The researchers also drew up a list of previously disclosed vulnerabilities identified in a previous study and tested whether they had been resolved. They found that while the most serious of these issues had been fixed, many had not been addressed. The researchers disclosed these vulnerabilities to the password managers.
Lead author of the study, Michael Carr, who carried out the research while studying for his MSc in Cyber Security at the Department of Computer Science, at York, said: “New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors. Some were fixed immediately while others were deemed low priority.
“More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and useable option. While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store.”
Comment
Robert Capps, vice president at NuData Security, a Mastercard company, said: “Security research like this, that finds potential vulnerabilities, is critical to making businesses and consumers safer by allowing potential weaknesses to be addressed in a responsible way, before they can be exploited. It’s good to keep in mind that password managers are still the best way to manage passwords so that consumers always have a different, strong password, for each account.
“As cybercriminals use phishing, hacking, and brute force attacks and other techniques to steal passwords, it is mandatory that consumers have a different password for every account, limiting their exposure to the ongoing wave of data breaches. Passwords managers help consumers keep track of their strong, unique passwords in a user-friendly way, and help to prevent them from inadvertently disclosing their passwords to a fraud Phishing scheme. For those accounts that allow it, end users should activate two-factor authentication for further security. Luckily, companies are moving away from using only a username and password for authentication, opting to add more layers that include behavioral analytics and passive biometrics, so that vulnerabilities like this one thwart future fraud. If a user has the correct password but is behaving suspiciously, these technologies can be stopped it before any fraud happens.”
