Passwords cannot be easy to remember and tough passwords are difficult to remember. In order to get around this problem most of us usually use a Password Manager which will encrypt and store all of our credentials and will enter the same as and when required. All of the passwords are guarded by a master password and also some services offer two-factor authentication for an added bit of security. But are your passwords safe and secure with the Password Managers?
Password Managers found leaking passwords
SIK Team performed a security analysis on popular password managers and the result was worrying indeed. The analysis clearly showcased how the Password Managers fail to safeguard the data by enforcing enough safety mechanisms. On the contrary, it was established that most of the Password Managers abuse the user’s confidence and expose them to a higher risk.
The following apps, among several others, were found to have been breached – MyPasswords, Informaticore Password Manager, LastPass, Keeper, Avast Passwords, 1Password, F-Secure Key Password Manager and Dashlane Password Manager.
The researchers found a number of implementation flaws which resulted in some serious security loopholes. In one of the case, the researchers found out that the apps were storing the passwords in plaintext/crypto algorithm and were thus able to gain access to all the passwords/credentials.
In yet another case the researchers could use something called as “residue attack” to access the master key stored in the application. The worst part is that no root permissions were required for the same and this gave complete access to sensitive information including the master key. It was further discovered that many of the apps turned a blind eye to the problem of keyboard sniffing wherein auto-fill functionality can be used to steal the stored secrets from the password managers.
However, most of the password managers use their very own web browser when it comes to password filling forms, however, these very browsers were susceptible to data leaks and breaches.
All reported vulnerabilities are fixed by the vendors now, says the report.