Password managers allow users to generate strong passwords and store them in a “secure” vault with one master password or PIN. Five of those password managers – Dashlane, Keeper, LastPass, 1Password and RoboForm – were analyzed in an investigation conducted by Michael Carr and Siamak F. Shashandashti of England’s University of York.
Critical Windows 10 security flaw discovered by NSA: What to do nowHave you noticed a surge in phishing emails since the coronavirus outbreak? We have, too!Fake COVID-19 apps are spreading malware: How to protect your PC
Unfortunately, as Tom’s Guide reported, the research duo found that all five password managers had security vulnerabilities that could allow hackers to swipe users’ passwords from Android phones and Chrome extensions. “After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password,” researchers at the University of York wrote in a report. In other words, researchers were able to trick password managers into relinquishing users’ passwords by posing as a fake app. This security flaw is caused by weak criteria for vetting the legitimacy of apps. Some password managers fared better than others but researchers concluded that Dashlane was the worst. The app was vulnerable to seven different security flaws the researchers tested. 1Password, on the other hand, had the fewest flaws – “just” five. DashLane defended itself against the research study, refuting a section that accused the company of not locking user accounts after a set number of incorrect PIN entries. The study cited concerns over brute-force attacks – a hacking method that activates up to 10,000 PIN attempts until there’s a match. “We do not enable the PIN code by default or recommend using it, although some of our customers prefer to use it. It is less secure than a proper master password, which we do recommend,” DashLane told Tom’s Guide. DashLane isn’t the only app to speak out against the study. All five password managers told Tom’s Guide that the research study was conducted two to three years ago, and many of the security flaws described in the paper have since been fixed. At this point, the critical question remains: should you continue using a password manager? According to researchers, the answer – surprisingly – is yes. “We would still advise individuals and companies to use them as they remain a more secure and usable option,” the University of York news posting concluded. “While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the [password managers’] information they store.”