ALL of us use passwords and some people need more than others, but there comes a point when our brains risk a physical overload with the sheer number of secret codes and keys we require on a daily basis.
One of the biggest challenges we face is memorising complex passwords, as recommended by computer and software manufacturers.
That is where password managers come in – they store your codes cryptographically, with access only granted when the user enters a master password. So, your passwords are stored organised for your websites, computers and applications.
Manufacturers have often advertised them as offering “bank-level” or “military-grade” security and experts have recommended them. Dashlane is the most popular, but other frequently used programs are Avast Passwords, F-Secure Key Password Manager, My Passwords and LastPass. However, a new report has revealed that some of the most popular password managers themselves can be vulnerable and can expose your credentials to prying eyes.
Security experts from TeamSIK, at the Fraunhofer Institute for Secure Information Technology in Germany, reported that nine of the most popular password managers for Android available on Google Play are open to one or more security vulnerabilities.
They examined Avast, Dashlane, F-Secure Key, LastPass, Keeper, 1Password, My Passwords, Informaticore’s Password Manager and Keepsafe – each of which has been installed between 100,000 and 50 million times.
TeamSIK said: “The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials.”
They discovered a total of 26 vulnerabilities, one or more in each programme, but these were all reported to the various manufacturers – who issued fixes before the report went public.
“We found several implementation flaws resulting in serious security vulnerabilities,” said the team.
“Some applications stored the entered master password in plain text or implemented hard-coded crypto keys in the programme code. Consequently, attackers can easily circumvent the crypto algorithm altogether and thereby gain access to all of the user’s data.”
This flaw was classed as “high severity” and was noted on Informaticore’s Password Manager. A similar bug was found in LastPass.
“In other cases, we could simply access all ‘securely protected passwords/credentials’ with the help of an additional app,” said TeamSIK.
“Once installed on the device, this malicious app extracts all passwords/credentials in plain text and sends them to the attacker.”
The research team also found that auto-fill functions in most password manager apps could be abused to steal stored secrets through “hidden phishing” attacks.
TeamSIK said any attacker could have exploited many of the flaws they found without resorting to the need for root permissions – the method of gaining administrative privileges on a system.
“In most of the cases, no root permissions were required for a successful attack that gave us access to sensitive information such as the master password,” said the team.
“Furthermore, many of the apps completely ignore the problem of clipboard sniffing, meaning that there is no clean-up of the clipboard after credentials have been copied into it.”
Manufacturers say they have addressed all the flaws raised in the TeamSIK report, but they are urging users to update their password manager apps as soon as they can, as hackers now have all the information they need to exploit the flawed previous versions.
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel