40% of password managers duped by a fake Google app

Password managers failed this test miserably

Most of today’s workplaces involve at least light computer interaction, which means there are passwords to create and remember. As we all know, we’ve got to create strong passwords or run the risk of being hacked.

The problem is the strongest passwords are generally nearly random strings of characters with little to no meaning. Remembering all those random keystrokes can be a job in itself, so many of us turn to password managers to bridge that gap and create one super password for the manager. Now it looks like these managers are far from secure.

Advertisement - Article continues below

We’ve heard the alarms before about the vulnerability of password managers, and a research team at the University of York has exposed several severe flaws in nearly half of the password managers it tested.

The researchers created a malicious app that was a mockup of a legit Google app and presented it to various password managers to see if they would fall for the lookalike. The spoofed app tricked two of five password managers into presenting the password. The research team did not identify the password managers that failed the test, but the 40% failure rate is nonetheless alarming.

So, what made these systems fail? While the University of York team didn’t get too deep into the details, it noted the ones that failed had weak criteria for identifying a legitimate app. This allowed the fake app to trick the system into auto-filling the password.

Advertisement
Advertisement - Article continues below

According to the research team, if a hacker were to trick a user into downloading the app through a phishing email or other medium, there is a high probability the app would steal passwords with relative ease.

Advertisement - Article continues below

The researchers also found some of the password managers did not limit the number of times one can attempt the master PIN or password. This would allow a brute force attack to crack the master password in as little as 2.5 hours.  

Related Resource

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now

The University of York team sent its findings to the password management companies along with a few other previously noted issues that remain unaddressed.

Here’s to hoping we someday have a secure system for maintaining our passwords that doesn’t rely on us memorizing hundreds of random character strings. Until then, all we can do it continue making strong passwords and remain vigilant against phishing attempts and other password-stealing hacks.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/security/vulnerability/356295/microsoft-patches-high-risk-flaws-that-can-be-exploited-with-a
vulnerability

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020
Visit/policy-legislation/data-protection/356344/eu-institutions-warned-against-purchasing-any-further
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020