40% of password managers duped by a fake Google app

Password managers failed this test miserably

Most of today’s workplaces involve at least light computer interaction, which means there are passwords to create and remember. As we all know, we’ve got to create strong passwords or run the risk of being hacked.

The problem is the strongest passwords are generally nearly random strings of characters with little to no meaning. Remembering all those random keystrokes can be a job in itself, so many of us turn to password managers to bridge that gap and create one super password for the manager. Now it looks like these managers are far from secure.

We’ve heard the alarms before about the vulnerability of password managers, and a research team at the University of York has exposed several severe flaws in nearly half of the password managers it tested.

The researchers created a malicious app that was a mockup of a legit Google app and presented it to various password managers to see if they would fall for the lookalike. The spoofed app tricked two of five password managers into presenting the password. The research team did not identify the password managers that failed the test, but the 40% failure rate is nonetheless alarming.

So, what made these systems fail? While the University of York team didn’t get too deep into the details, it noted the ones that failed had weak criteria for identifying a legitimate app. This allowed the fake app to trick the system into auto-filling the password.

According to the research team, if a hacker were to trick a user into downloading the app through a phishing email or other medium, there is a high probability the app would steal passwords with relative ease.

The researchers also found some of the password managers did not limit the number of times one can attempt the master PIN or password. This would allow a brute force attack to crack the master password in as little as 2.5 hours.  

Related Resource

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now

The University of York team sent its findings to the password management companies along with a few other previously noted issues that remain unaddressed.

Here’s to hoping we someday have a secure system for maintaining our passwords that doesn’t rely on us memorizing hundreds of random character strings. Until then, all we can do it continue making strong passwords and remain vigilant against phishing attempts and other password-stealing hacks.

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Most Popular

150,000 arrest records accidentally deleted from police database
data management

150,000 arrest records accidentally deleted from police database

15 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021