There is a very good reason why people who pay attention to their online security choose password managers.
Not only it is more convenient thanks to its ‘one password to rule them all’ function, but thanks to the cloud-based technology it is also safer than keeping all your passwords in a spreadsheet.
However, as with anything uploaded to the internet, your passwords can be compromised – and not even the best passwords managers are safe from blunders when the data of millions of users are leaked. In the past few years – particularly in 2017 – there were plenty of security breaches, so here are a few you should know about…
OneLogin: ‘Tis But a Scratch!
Kicking off our list is the most recent and only bad example of how a company should react when it comes to properly telling its customers that their data may or may not have been compromised.
On May 31 2017, identity management outfit OneLogin alerted its users on its blog that “unauthorized access to OneLogin data in our U.S. data region” had occurred. At first the problem didn’t seem too serious, but users later reported that the emails they received from the company were more than worrying. To pour salt into the wound caused by this catastrophic communication, OneLogin not only forced its users to seek the solution on a registration-required support page, but then this very page also revealed that in fact all U.S. customer data had been compromised to such extent that hackers could easily decrypt the supposedly encrypted data. As a final insult, users were given a list of instructions consisting of 12 steps that could’ve made even tech-savvy users frustrated.
The Big Nine: Unsafe Apps
In February 2017 a group of security experts from TeamSIK discovered that the apps of nine of the most popular password manager companies were at risk of being hacked. These nine at-risk companies were LastPass, Keeper, 1Password, My Passwords, Dashlane, Informaticore’s Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords. The biggest blunder, however, was committed by the apps of Informaticore and LastPass: the master passwords of users appeared as plain text or the encryption key itself was exposed in the code, making the apps vulnerable to data residue attacks and clipboard sniffing.
Thankfully developers of these apps reacted faster than you can say Jack Robinson, and released patches on March 1 2017, way before the findings of TeamSIK were officially published.
LastPass: Faulty Browser Plug-ins
Browser add-ons are crucial for password managers to be able to work properly, otherwise they couldn’t import all those passwords you use on various sites. So if this plug-in is compromised, it’s bad news for everyone – except the hackers that is. And that’s exactly what happened to LastPass, one of the most popular password managers on the market and – due to this very same reason – a company that is a regular target of constant hacker attacks.
Although similar attacks occurred in 2011, 2014 and 2015, the most recent is the most relevant right now: on March 20 2017, Google security researcher Tavis Ormandy reported to LastPass that its extensions could have given hackers the opportunity to access internal commands, and thus enable them to remotely steal passwords. To make things worse, the same researcher reported a similar bug, this time in LastPass’s Firefox extension, forcing the company to release patches twice within 24 hours.
Despite the company’s initial reaction being more than questionable – it remained silent for a few hours after the breach was discovered – LastPass did eventually eliminate the vulnerability and also made sure that its users are prepared: they were instructed to launch sites directly from the LastPass Vault, use the two-factor authentication, keep an eye out for phishing attacks, and additionally change their master password.
It’s Still Safe
Even though the above examples show that password managers can still be compromised, data protection of all data stored within such programs is relatively easy. Turning on the two-step authentication, monitoring your bank accounts and checking to see if your email address has been stolen by attackers is highly important, as is keeping an eye out for phishing scams and checking the security settings of any site you are registered with. And last but not least, the moment a security breach is revealed for your password manager, it is important that you change the compromised account’s password with a new one created by a password generator and repeat this process with every site where you have used the same login credentials.
Best Password Managers of 2019
|Editor's Choice 2019|