If you spend any time on the Internet (and who doesn’t these days?), then you probably have a lot of passwords.
You need a password every time you log on to your social media accounts, check your banking account balance or order something from Amazon.
If you belong to any forums, run a website or even just write a blog, then you have even more passwords.
It’s tempting to use the same password for each of these websites. After all, you probably need to sign in to dozens, if not hundreds, of websites during the course of a normal year. If you had a strong, unique password for each of these websites, how could you possibly remember them all?
Unfortunately, too many people take the easy way out. They use a password that’s fairly obvious, say “Password123,” for instance, and then use it for all of their online activities. Why is this such a terrible idea?
Because if a hacker manages to get your password on even one account, then they have your password for all of your accounts.
Maybe you don’t thing that it is a particularly big deal if some nefarious party is able to log into your Facebook profile, though they can wreak havoc if that occurs.
However, if that password gives them access to your banking information, your credit card numbers, SocialSecurity Number or anything else, then you will certainly care.
Why Strong Passwords Are Critical
In recent years, many websites have begun instituting requirements for increasingly long and complex passwords.
It’s a pain for the user to come up with and remember these passwords, but there is good reason for doing so.
The more complex and random your passwords are, the harder they are for hackers to discern. Now, imagine that you had dozens of these passwords, one for each of the websites that you frequent.
Those hackers won’t get as far when they have to figure out a completely random chain of 12 or more letters, numbers and special characters. The problems only get multiplied by your use of unique passwords on every one of your online accounts.
This type of password is critical to your online security. Once one hacker has figured out your too-simple password, they can use it themselves or sell it for major bucks on the black market.
Some of these buyers are incredibly sophisticated. Within minutes, your identity is stolen, your credit rating is trashed and you’ll spend years and lots of money trying to get your reputation back.
According to the MIT Technology Review, creating a truly strong password is about more than using one capital letter, one number and one special character. The longer you make your password, and the more special characters that it uses, the more likely you are to stump hackers.
Hackers have software that continuously and tirelessly runs through password “guesses.” Sooner or later, they may latch onto yours.
However, if your password is long, complex and totally random, then chances are good that the hacker will go looking for much easier prey, which is available in abundance.
What Is a Password Manager?
The problem is that remembering all of these incredibly long, complicated and unique passwords is a Herculean task. Who can possibly keep them all straight?
That’s where password managers come in.
Most password managers are designed to generate countless strong, random passwords for individual users.
They store these passwords, and then retrieve them when you visit each website.
It also is possible for these services to store your credit card numbers, including the three-digit CVV code on the back, along with PINs and your answers to various security questions.
All of these data are encrypted in a bid to foil hackers. Many of these services use hashing, which essentially is responsible for the conversion of plain data into strings of numbers or characters of a predetermined length.
Any time that you want to visit a website where you will need to use one of your passwords, you log into the “vault” of data that you previously stored with your password manager. Access is granted through a single password for the manager service.
That sounds pretty convenient, but it is critical that you do not put too much trust into password managers. These services are not a magic bullet that will protect you from all harm.
In fact, you might be wise to forego using a password manager at all.
Why Password Managers Can Be Risky
Password managers store all of your sensitive data either locally or on a cloud.
Accordingly, your passwords are in a vault on a storage drive or computer at your home or they are kept remotely on the password manager’s servers.
Big-name players in the industry like Dashlane, 1Password, and LastPass use their servers to store your private information by default. This makes it more convenient for you to sync any stored data that you may have with all of your devices.
Now, these companies make a lot of promises about their security measures, but that doesn’t make all consumers comfortable.
Just imagine if all of that incredibly valuable data on that single server was compromised by a hack. Because you’ve put all of your eggs in one basket, you’ve just lost control of your online life.
The reality is that few hackers can resist the temptation to get past the advanced security systems. Think of all the priceless data they could gather with just one hack. Sometimes, consolidation is not a wise maneuver.
If you really dislike the thought of cloud storage for all of your passwords, then perhaps you could opt for local storage instead. Dashlane makes this possible when customers choose to disable the “Sync” feature.
1Password lets customers buy a software license that gives them control over where their vault is kept. KeePass makes it possible to store your data in a vault that’s encrypted on your own device.
However, before you jump in with both feet on these options, ask yourself how secure your own electronic security measures are? Is it possible that a hacker could get through them to take all of your passwords from your own device?
Security Breaches That You Need to Know About
The security breaches listed are not theoretical. Many of them have happened. Before you decide whether or not using a password manager makes sense for you, take these breaches into account.
The Breach at OneLogin
In a press release, OneLogin wrote that, “We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened.”
LastPass Reports a Breach
Another rather infamous password manager hack occurred over at LastPass. This was reported in April 2017, and the company described it as a “unique and highly sophisticated” problem.
The implication is that LastPass uses such advanced encryption techniques and security measures that the situation is all-but unthinkable and could not possibly occur again.
The problem was identified by Tavis Ormandy, a security researcher for Google’s Project Zero. Ormandy described the issue as being “architectural” in nature, going on to say that it would require significant time to address.
While LastPass worked to correct the vulnerability, they advised clients to use two-factor authentication and to avoid all suspicious links.
However, this is not the only occurrence that LastPass has suffered. In June 2015, the company announced that their servers had experienced an intrusion.
LastPass reported that no stored passwords were stolen and that the hackers didn’t take email addresses, password reminders or authentication hashes.
KeePass Gets Hacked – Sort Of
The availability of a tool nicknamed “KeeFarce” in 2015 made things look dicey for KeePass. Although this hacker tool was targeted to KeePass, it’s feasible that the tool could be modified to target any password manager.
Essentially, this tool was designed to target the computers of users, which generally don’t have the robust security features that password managers use.
The tool was capable of decrypting all user names and passwords that the user had stored with KeePass. All of the data was then written to a file that the hacker could access.
This tool was designed to highlight a problem that all password managers have. An infected computer is a vulnerable computer.
No matter how good a password manager is when the user’s computer is infected with a virus or other problem, the protection offered by the manager is bound to be compromised. You’ve got to beef up your own security if you are to have any hope of benefiting from a password manager.
Keeper Catches a Bug
In May 2018, Keeper announced that they had fixed a bug that was identified by a security researcher.
The researcher said that the bug may have allowed unauthorized people to access the private data belonging to another user.
The bug was brought to light via a disclosure list for public security. Essentially, the listing said that any individual who controlled the company’s API server could theoretically access the decryption key to the vault of passwords belonging to any user.
The source of the problem was contained with Keeper Commander, a script powered by Python that enables users to rotate passwords. Keeper’s bug has since been eliminated.
The TeamSIK Findings
In February of 2017, researchers at the Fraunhofer Institute for Secure Information Technology made public their findings.
Following a review of the nine most frequently used password managers. The results were anything but reassuring.
The researchers, known as TeamSIK, called their findings “extremely worrying.” They even asserted that these companies “abuse the users’ confidence and expose them to high risks.”
The password managers that were included in the review were 1Password, Avast Passwords, Hide Pictures Keep Safe Vault, Dashlane, F-Secure KEY, Keeper, LastPass, Informaticore Password Manager and My Passwords.
Each manager in the review had at least one security flaw. The researchers informed each of the companies of their findings, and mot problems were quickly addressed.
Still, doesn’t it seem like each company should have realized and corrected these problems without needing an outside source to cajole them into taking action?
In the aftermath, users were encouraged to ensure that they were patched and using the latest versions of the password manager software so that they were getting the full benefit of the upgraded security measures.
Below are some of the specific details/reports. For specific details please open each report.
- Read Private Data of My Passwords App
- Master Password Decryption of My Passwords App
- Free Premium Features Unlock for My Passwords
Informaticore Password Manager
- Insecure Credential Storage in Mirsoft Password Manager
LastPass Password Manager
- Hardcoded Master Key in LastPass Password Manager
- Privacy, Data leakage in LastPass Browser Search
- Read Private Date (Stored Masterpassword) from LastPass Password Manager
- Keeper Password Manager Security Question Bypass
- Keeper Password Manager Data Injection without Master Password
F-Secure KEY Password Manager
- F-Secure KEY Password Manager Insecure Credential Storage
Dashlane Password Manager
- Read Private Data From App Folder in Dashlane Password Manager
- Google Search Information Leakage in Dashlane Password Manager Browser
- Residue Attack Extracting Masterpassword From Dashlane Password Manager
- Subdomain Password Leakage in Internal Dashlane Password Manager Browser
Hide Pictures Keep Safe Vault
- SKeepsafe Plaintext Password Storage
- App Password Stealing from Avast Password Manager
- Password Theft by Spoofed Website from Avast Password Manager
- Insecure Default URLs for Popular Sites in Avast Password Manager
- Subdomain Password Leakage in Avast Password Manager
- Broken Secure Communication Implementation in Avast Password Manager
- Internal Testing URLs in Avast Password Manager
1Password – Password Manager
- Subdomain Password Leakage in 1Password Internal Browser
- Https downgrade to http URL by default in 1Password Internal Browser
- Titles and URLs Not Encrypted in 1Password Database
- Read Private Data From App Folder in 1Password Manager
- Privacy Issue, Information Leaked to Vendor 1Password Manager
Types of Security Breaches
The reality is that all of the major password managers have had serious security breaches at one time or another. Even if they correct the problems as they are uncovered, it seems like new schemes are always afoot.
These are some of the security breaches to which password managers are vulnerable.
Phishing – Most people have heard about phishing schemes. They involve an email or text message that’s purportedly sent by a reputable entity or individual.
The aim is to get an unsuspecting victim to reveal sensitive data like bank account numbers, credit card numbers and Social Security Numbers for the purpose of defrauding the recipient.
Phishing has been used to defraud password manager customers. In this scheme, customers are asked to log in to a website because of an expired session.
When they do, a confusingly similar phishing website is actually where they are inputting their private data. The user has just willingly offered up their secret password to a hacker.
Cross-Site Request Forgery – Often referred to as CSRF, this scheme tricks people into taking unintended actions online. It’s employed on users who are authenticated in a web application. The nefarious party often sends a link via email to induce the victim to transfer funds or take other potentially harmful actions.
Cross-Site Scripting – Familiarly known as XSS, this attack involves the introduction of malicious code into otherwise known and trusted websites.
Brute-Force Attacks – This security breach involves automated software that tries various combinations until it hits a data goldmine, like the server of your password manager.
Auto-Fill Feature Vulnerability – Using the auto-fill feature on your web browser or password manager is tempting because it seems to make everything so much easier.
In reality, you’re only making things easier for your cybercriminals around the world. It’s even being used by advertisers.
Storing Master Password in Plain Text – Proving that password managers are not necessarily the best gatekeepers of your sensitive data, one research project uncovered the fact that some password managers were storing customer’s master passwords in plain text without any encryption whatsoever.
App’s Code Containing Encryption Keys – In essence, the app’s own code exposes encryption keys within the code itself. It’s a field day for hackers when this vulnerability is discovered.
Clipboard Sniffing or Hijacking – This breach allows criminals to grab credentials that have been copied into the PC’s memory so that they can be pasted into an interface for password entry.
Built-in Web Browser Flaws – Some password managers also are browsers, the use of which is supposed to keep customers safer online. However, with an imperfect password manager—which they all are, the possibility for flaws is multiplied.
Data Residue Attack – Users who delete apps from their devices don’t necessarily remove all traces of it. Some hackers attack the “residue”that remains behind. Only really solid security measures actually keep out criminals.
Insider Hacking – Don’t assume that you’re safe just because you’re using a company computer.
Some hacks are an inside job that is perpetrated by a colleague.
That’s just as true at the offices of password managers. How do you know you can trust the employees of your provider?
Information Leaks Through Swap Memory – Most computers have main memory and secondary storage. Each process that the computer performs gets as much memory as it asks for.
Active process are stored in main memory. Dormant processes are pushed out to secondary storage. When a particular process starts eating up tons of memory, more items get pushed to secondary storage.
System performance deteriorates, and terminating the leaking process may not mean that processes that were pushed to secondary storage get swapped back immediately. Anything that has been outsourced to the secondary storage may be vulnerable to attack.
What Does the Future Hold?
As noted, the nine best-known password managers have since fixed all of these issues. However, what other problems may be lurking?
Some of the vulnerabilities that were uncovered by TeamSIK should have been quite obvious, yet none of these companies were aware of them. It took an independent third party to uncover these issues and bring them to light. Can you really trust a password manager with your most sensitive data?
You May Also Like: