40% of password managers duped by a fake Google app

Password managers failed this test miserably

Most of today’s workplaces involve at least light computer interaction, which means there are passwords to create and remember. As we all know, we’ve got to create strong passwords or run the risk of being hacked.

The problem is the strongest passwords are generally nearly random strings of characters with little to no meaning. Remembering all those random keystrokes can be a job in itself, so many of us turn to password managers to bridge that gap and create one super password for the manager. Now it looks like these managers are far from secure.

Advertisement - Article continues below

We’ve heard the alarms before about the vulnerability of password managers, and a research team at the University of York has exposed several severe flaws in nearly half of the password managers it tested.

The researchers created a malicious app that was a mockup of a legit Google app and presented it to various password managers to see if they would fall for the lookalike. The spoofed app tricked two of five password managers into presenting the password. The research team did not identify the password managers that failed the test, but the 40% failure rate is nonetheless alarming.

So, what made these systems fail? While the University of York team didn’t get too deep into the details, it noted the ones that failed had weak criteria for identifying a legitimate app. This allowed the fake app to trick the system into auto-filling the password.

According to the research team, if a hacker were to trick a user into downloading the app through a phishing email or other medium, there is a high probability the app would steal passwords with relative ease.

The researchers also found some of the password managers did not limit the number of times one can attempt the master PIN or password. This would allow a brute force attack to crack the master password in as little as 2.5 hours.  

Related Resource

8 digital best practices for IT professionals

Don't leave anything to chance when going digital

Download now

The University of York team sent its findings to the password management companies along with a few other previously noted issues that remain unaddressed.

Here’s to hoping we someday have a secure system for maintaining our passwords that doesn’t rely on us memorizing hundreds of random character strings. Until then, all we can do it continue making strong passwords and remain vigilant against phishing attempts and other password-stealing hacks.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/mobile/mobile-phones/355088/apple-lifts-iphone-purchase-restrictions
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020