We’re often told that using a password manager is the best way to keep your online passwords secure.
However, a new report reveals that many of the leading password managers are not nearly as secure we think.
Security experts have discovered 26 major flaws in nine of the world’s most popular Android password managers.
The list of affected apps reads like a who’s who of the leading password managers and includes such names as 1Password, LastPass, MyPasswords, Avast Passwords, F-Secure Key, Keeper, Informaticore, Dashlane and Hide Pictures Keep Safe Vault.
The findings come from group of security experts from TeamSIK of the Fraunhofer Institute for Secure Information Technology in Germany who earlier this week published a report into the security of Android password password managers.
“Applications vendors advertise their password manager applications as ‘bank-level’ or ‘military-grade’ secure,” TeamSIK said.
“The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials.”
“Instead, they abuse the users’ confidence and expose them to high risks.”
In each of the apps, the security researchers identified at least one major security vulnerability, some of which were serious, such as storing the master password in plain text, rather than ensuring it was encrypted.
Two of the most popular apps, Password Manager and LastPass, were found to store the encrypted master key hard coded in the app’s own code.
Furthermore, the security researchers found that many of the apps failed to sufficiently protect against what is known as clipboard sniffing, which can be used by hackers to steal credentials that have been copied into memory to be entered into an account login screen.
What’s perhaps more worrisome is that the researchers found that the autofill functions on many of the password managers could be easily by compromised by “hidden phishing attacks” in order to steal login credentials.
The good news is that all the issues were fixed prior to the security researchers going public with their findings, although with that being said the findings are still likely to make unpleasant reading for users.
While most of the app developers were quick to fix the issues highlighted by TeamSIK [within one week], Avast took longest to fix three issues discovered with its app.
It is recommended that if you use any of the aforementioned password managers that you update to the latest version of the app immediately.
Here is a full rundown all the issues found with the password managers:
Read Private Data of My Passwords App
Master Password Decryption of My Passwords App
Free Premium Features Unlock for My Passwords
1Password – Password Manager
Subdomain Password Leakage in 1Password Internal Browser
HTTPS downgrade to HTTP URL by default in 1Password Internal Browser
Titles and URLs Not Encrypted in 1Password Database
Read Private Data From App Folder in 1Password Manager
Privacy Issue, Information Leaked to Vendor 1Password Manager
LastPass Password Manager
Hardcoded Master Key in LastPass Password Manager
Privacy, Data leakage in LastPass Browser Search
Read Private Data (Stored Master password) from LastPass Password Manager
Informaticore Password Manager
Insecure Credential Storage in Microsoft Password Manager
Keeper Password Manager
Keeper Password Manager Security Question Bypass
Keeper Password Manager Data Injection without Master Password
Dashlane Password Manager
Read Private Data From App Folder in Dashlane Password Manager
Google Search Information Leakage in Dashlane Password Manager Browser
Residue Attack Extracting Master Password From Dashlane Password Manager
Subdomain Password Leakage in Internal Dashlane Password Manager Browser
F-Secure KEY Password Manager
F-Secure KEY Password Manager Insecure Credential Storage
Hide Pictures Keepsafe Vault
Keepsafe Plaintext Password Storage
App Password Stealing from Avast Password Manager
Insecure Default URLs for Popular Sites in Avast Password Manager
Broken Secure Communication Implementation in Avast Password Manager