40% of password managers duped by a fake Google app

Password managers failed this test miserably

Most of today’s workplaces involve at least light computer interaction, which means there are passwords to create and remember. As we all know, we’ve got to create strong passwords or run the risk of being hacked.

The problem is the strongest passwords are generally nearly random strings of characters with little to no meaning. Remembering all those random keystrokes can be a job in itself, so many of us turn to password managers to bridge that gap and create one super password for the manager. Now it looks like these managers are far from secure.

We’ve heard the alarms before about the vulnerability of password managers, and a research team at the University of York has exposed several severe flaws in nearly half of the password managers it tested.

The researchers created a malicious app that was a mockup of a legit Google app and presented it to various password managers to see if they would fall for the lookalike. The spoofed app tricked two of five password managers into presenting the password. The research team did not identify the password managers that failed the test, but the 40% failure rate is nonetheless alarming.

So, what made these systems fail? While the University of York team didn’t get too deep into the details, it noted the ones that failed had weak criteria for identifying a legitimate app. This allowed the fake app to trick the system into auto-filling the password.

According to the research team, if a hacker were to trick a user into downloading the app through a phishing email or other medium, there is a high probability the app would steal passwords with relative ease.

The researchers also found some of the password managers did not limit the number of times one can attempt the master PIN or password. This would allow a brute force attack to crack the master password in as little as 2.5 hours.  

Related Resource

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now

The University of York team sent its findings to the password management companies along with a few other previously noted issues that remain unaddressed.

Here’s to hoping we someday have a secure system for maintaining our passwords that doesn’t rely on us memorizing hundreds of random character strings. Until then, all we can do it continue making strong passwords and remain vigilant against phishing attempts and other password-stealing hacks.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
PayPal dismisses $45 billion Pinterest takeover as "market rumour"
Acquisition

PayPal dismisses $45 billion Pinterest takeover as "market rumour"

25 Oct 2021