While, yes, it is possible to hack a password manager, don’t jump to the wrong conclusion just yet since there is something every user should keep in mind: every piece of software – password manager or not – has its weak points, and it is up to the user to decide which services can be trusted and what risks they are willing to accept.
In other words, if security could be measured on a scale between 1 and 100, then no program will be able to reach 100% because it is impossible to be completely free of bugs or weaknesses. The ugly truth is that the question ‘Is this secure?’ cannot be answered with a definitive yes or no because security isn't just black or white. All the same, it's important to know what makes a password management service vulnerable based on whether the service is cloud-based, provided via an application, or open source.
Most Popular Password Managers Have Been Hacked
It could be human error, an attack scenario the developers have not considered, or a weakness in how the software handles local files, but there are many ways that access to your stored passwords can be gained. The worst case scenario, however, is if the user falls victim to a phishing attack and a keylogger is placed on their computer. From that moment on, any password manager becomes hackable, that is unless an extra layer of security is applied with device-based or two-factor authentication.
Accessing the Whole Password Database
Take LastPass, 1Password or Dashlane, for example, which are among the most popular password managers. LastPass managed to grab the headlines in the past and not in a good way: in mid-2015 cyber criminals copied its main password database, a year later a security researcher discovered a user-interface flaw, and in 2017 browser-based extension vulnerabilities were found.
Getting Access to Local Files
After putting Dashlane's security to the test, a group of researchers managed to bypass the service's device-based authorization after discovering that the security feature isn't actually tied to a registered device. Instead, a file is created on a registered device, which acts like a key during the login process. If the file is moved to another computer, then it is possible to log in via that machine as well without the need for device registration. That's simple enough workaround for cyber criminals to combine this weakness with other methods to gain access to a user's password collection. Still, hackers will need physical access to the target’s computer for this to work.
A group of German researchers also discovered various security flaws in 1Password's Android app. Due to a design flaw, the password managers' built-in web browser allowed files from the app's private data directory to be extracted, opening the door to the database file and therefore user passwords and other sensitive data.
What Does This Mean for Users?
Such security flaws represent a solid reason for users to remain skeptical about password management services. It’s an understandable point, but in the meantime the lack of proper tools to secure online accounts with strong passwords, users provide an attack surface to cyber criminals. Just consider the low security measures that people tend to use, such as using the same password with multiple accounts.
Expecting 100% security from a piece of software isn’t feasible, so user should be aware of the risks and consider the methods that password manager developers have taken to mitigate them. If their efforts are enough, then the benefits of using a password manager will ultimately outweigh the risks.
How Password Managers Protect User Data
Thanks to smart password storage design, the LastPass database leak didn't expose any user data; hackers could only see gibberish. Other security flaws found in password managers by white hat hackers are usually fixed, with better services ensuring these issues are resolved quickly and communicated well.
The theory states that every internet-accessible database represents an attack opportunity for hackers, while locally stored files don’t. That's only partly true, since there are ways to mitigate cyber attacks.
Each service uses its own approach to security, but the basis of each of them is encryption. Password hashing and salting further increases the level of protection but not all password managers use this. Before making use of a password management service, check the security measures that it takes to protect user data.
Best Password Managers of 2019
|Editor's Choice 2019|