40% of password managers duped by a fake Google app

Password managers failed this test miserably

Most of today’s workplaces involve at least light computer interaction, which means there are passwords to create and remember. As we all know, we’ve got to create strong passwords or run the risk of being hacked.

The problem is the strongest passwords are generally nearly random strings of characters with little to no meaning. Remembering all those random keystrokes can be a job in itself, so many of us turn to password managers to bridge that gap and create one super password for the manager. Now it looks like these managers are far from secure.

Advertisement - Article continues below

We’ve heard the alarms before about the vulnerability of password managers, and a research team at the University of York has exposed several severe flaws in nearly half of the password managers it tested.

The researchers created a malicious app that was a mockup of a legit Google app and presented it to various password managers to see if they would fall for the lookalike. The spoofed app tricked two of five password managers into presenting the password. The research team did not identify the password managers that failed the test, but the 40% failure rate is nonetheless alarming.

So, what made these systems fail? While the University of York team didn’t get too deep into the details, it noted the ones that failed had weak criteria for identifying a legitimate app. This allowed the fake app to trick the system into auto-filling the password.

Advertisement
Advertisement - Article continues below

According to the research team, if a hacker were to trick a user into downloading the app through a phishing email or other medium, there is a high probability the app would steal passwords with relative ease.

Advertisement - Article continues below

The researchers also found some of the password managers did not limit the number of times one can attempt the master PIN or password. This would allow a brute force attack to crack the master password in as little as 2.5 hours.  

Related Resource

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now

The University of York team sent its findings to the password management companies along with a few other previously noted issues that remain unaddressed.

Here’s to hoping we someday have a secure system for maintaining our passwords that doesn’t rely on us memorizing hundreds of random character strings. Until then, all we can do it continue making strong passwords and remain vigilant against phishing attempts and other password-stealing hacks.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Most Popular

Visit/server-storage/network-attached-storage-nas/355849/western-digital-sneaked-inferior-smr-tech-into
network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020