New Research Exposes Password Manager Vulnerabilities
The need for complex, random, and unique passwords for each online account is only increasing, making password management software a necessity as passwords get more and more difficult to remember. A new study out of the University of York in England has found that many of these password managers may not be as secure as we think.
The University of York researchers developed a malicious app designed to mimic a legitimate Google app and ask for password data, aiming to trick password managers into sharing data with the false app.
“Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information,” says Siamak Shahandashti, PhD, of the Department of Computer Science at the University of York and lead author of the study. “Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.”
The researchers found that a number of password managers used weak criteria when identifying a trustworthy app for sharing username and password information. By simply creating a rogue app with an identical name, the research team was able to dupe multiple password managers and procure sensitive log-in information.
“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that are not merely based on an app’s purported package name,” Shahandashti said.
The study also found that many password managers do not enforce a limit on guesses for an account’s master PIN or password. This means that through a “brute force” attack — where pins or passwords are constantly generated by AI until the correct one is entered — hackers could gain access to an individual’s device or password storage account in as little as 2.5 hours.
Alongside these new findings, the researchers compiled a list of previously disclosed issues and tested whether they have yet to be resolved by the password management companies. They found that most of the previously disclosed vulnerabilities were fixed, but there were still a number of vulnerabilities that have yet to be addressed.
Password managers still remain a secure alternative to password storage, but their potential vulnerabilities should be kept in mind.
“New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors,” says lead author Michael Carr. “Some were fixed immediately while others were deemed low priority. More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and [usable] option. While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store.”
As always, it is important to monitor who has access to a facility’s accounts and devices. Those individuals should also be advised on screening software downloads for potential malware — including opening suspicious emails, visiting suspicious or previously unapproved websites, and being especially careful when downloading new software or applications.
“Our study shows that a phishing attack from a malicious app is highly feasible — if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” Shahandashti said.
InterMed recognizes the threats of cybersecurity on medical facilities and can help you develop a preventative strategy that is right for your facility. From security diagnostics to staff training, we offer the solutions and safeguards you need to keep your facility safe from cybercrime. Visit Intermed1.com/jump-teams/ to learn more.