These 3 popular password managers are insecure, researchers find
Bitwarden, LastPass, and Dashlane are less secure than you might expect, at least if you go by the findings of security researchers at ETH Zurich and the Università della Svizzera italiana (USI) in Lugano.
They’ve allegedly discovered serious security vulnerabilities in these popular password managers. “In tests, they were able to view and even change stored passwords,” writes the editor (machine translated).
Why are they vulnerable?
Many password managers store passwords in encrypted form in the cloud. The advantage of this is that you can access your passwords across all your devices, no matter where you are. The important bit is that your passwords are encrypted, which guarantees that those passwords are secure against unauthorized access. Even if hackers gain access to the password manager’s servers, the encryption will thwart them.
But Swiss security researchers found vulnerabilities in popular password managers Bitwarden, LastPass, and Dashlane: “[The researchers’] attacks ranged from breaches of the integrity of targeted user vaults to the complete compromise of all vaults of an organization using the service. In most cases, the researchers were able to gain access to the passwords—and even manipulate them.”
The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane. To do this, they set up their own servers that behaved like a hacked password manager server. The researchers then initiated “simple interactions that users or their browsers routinely perform when using the password manager, such as logging into the account, opening the vault, viewing passwords, or synchronizing data.”
The researchers found “very bizarre code architectures,” which were probably created because the companies were trying to “offer their customers the most user-friendly service possible, for example the ability to recover passwords or share their account with family members.”
This not only makes the code architectures more complex and confusing, but ends up increasing the number of potential attack points for hackers. The security researchers warn: “Such attacks don’t require particularly powerful computers and servers, just small programs that can spoof the server’s identity.”
Before publishing their findings, the researchers informed each password manager so they’d have enough time to fix the flaws. They all responded positively, but not all fixed the flaws at the same speed.
Blame it on outdated encryption methods
According to the researchers, the reason for the vulnerabilities is obvious: “Discussions with password manager developers have revealed their reluctance to release system updates, fearing their customers could lose access to their passwords and other personal data. These customers include millions of individuals and thousands of companies that entrust their entire password management to these providers. One can imagine the consequences of suddenly losing access to their data. Therefore, many providers cling to cryptographic technologies from the 1990s, even though these are long outdated.”
The only solution to this dilemma is for all password managers to be cryptographically updated, at least for new customers. Existing customers could then decide for themselves “whether they want to migrate to the new, more secure system and transfer their passwords there, or whether they want to remain with the old system—aware of the existing security vulnerabilities.”
What should you do?
The researchers reassure us that there’s no immediate danger, say they have “no reason to believe that password manager providers are currently malicious or compromised, and as long as this remains the case, your passwords are safe. However, password managers are high-profile targets, and security breaches do occur.”
Anyone considering a password manager should choose a password manager “that openly discloses potential security vulnerabilities, is externally audited, and has end-to-end encryption enabled by default.”
Further reading: The best password managers, reviewed