Password managers, a seemingly secure solution for managing our ever-growing list of passwords, may not be as safe as we think. With an average of 100 to 200 passwords to remember, these tools offer a convenient way to access all our accounts with just one master password. But here's where it gets controversial: a recent study has revealed that these managers might not be as secure as promised.
Most password managers are cloud-based, which means they store our sensitive data, including login details for banking and credit cards, in encrypted storage platforms known as "vaults." The promise of "zero-knowledge encryption" assures users that their data is safe, even from the providers themselves. However, researchers have now shown that this promise might be flawed.
Matilda Backendal, along with her colleagues from ETH Zurich, conducted a study on three popular password manager providers: Bitwarden, LastPass, and Dashlane. These providers serve a massive user base of around 60 million people, yet the researchers discovered multiple security vulnerabilities. They demonstrated attacks ranging from compromising specific user vaults to gaining complete access to all vaults within an organization.
"The severity of the security vulnerabilities surprised us," says Professor Kenneth Paterson. The team found that due to the complexity of the code, aimed at providing user-friendly features like password recovery and account sharing, password managers have become an attractive target for hackers. These attacks can be carried out with simple interactions, such as logging in or synchronizing data, and do not require powerful computers.
Paterson's team contacted the providers before publishing their findings, giving them time to address the issues. While some providers were cooperative, others were slower to act. The researchers suggest updating the systems with modern cryptography, especially for new customers, and allowing existing users to migrate to the improved system.
For those relying on password managers, Paterson recommends choosing a manager that is transparent about security vulnerabilities and has end-to-end encryption enabled by default. He emphasizes the need for password manager providers to communicate security guarantees more clearly to their customers.
"We want our work to spark change in the industry," Paterson concludes. "Password managers should not make false promises but instead provide accurate information about the security of their solutions."
So, the question remains: are password managers as secure as we think they are? It's a topic that deserves further discussion and consideration, especially with the increasing reliance on online services and the sensitive data they hold.
