Not all they’re cracked up to be? Several password vaults contain vulnerabilities, both new and previously disclosed but never patched, a study says

Several popular password managers contain security vulnerabilities that could be exploited to breach the walls that are supposed to keep your passwords safe, according to researchers from the University of York.

After considering a pool of 19 password managers, the academics chose to test LastPass, Dashlane, Keeper, 1Password, and RoboForm based on their popularity and features. They uncovered a total of four new vulnerabilities, including a flaw both in the 1Password and LastPass Android applications that made them susceptible to phishing attacks. The vulnerability is caused by their use of weak matching criteria for identifying which of the stored credentials should be suggested for autofill.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success,” said Dr. Siamak Shahandashti from the Department of Computer Science at the University of York. He went on to add that, in order to remedy the situation, the password vaults should add stricter matching criteria that aren’t based just on “an app’s purported package name”.

The researchers also discovered that the Android applications of both RoboForm and Dashlane are susceptible to PIN brute force attacks. This flaw allows endless attempts at entering the master PIN that may ultimately unlock the password vaults.

“Through extrapolation of manual testing, it is estimated that even a manual random guessing attack is on average expected to find a randomly selected PIN in 2.5 hours,” the researchers explained, adding that factoring in additional variables can significantly reduce the time it takes to break the PIN.

The tools’ respective vendors were duly notified about the newly discovered vulnerabilities. “Some were fixed immediately while others were deemed low priority,” said Michael Carr, the lead author of the study.

In addition, the password managers also underwent rigorous testing against six previously disclosed vulnerabilities to see if the security holes had been plugged. The test showed that all except one of the password managers were susceptible to URL mismatch, and all of them were vulnerable to Ignoring Subdomains and HTTP(S) Autofill exploits. Dashlane fared the worst, as it was vulnerable to five out of the six vulnerabilities disclosed earlier.

Although the team admitted that “rigorous security models and canonical security tests for password managers” are needed, they still recommend their use to businesses and individuals alike, as they continue to be a more secure and useable option than resorting to password recycling or trying to memorize them all.

Food for thought, since people continue to make questionable choices when choosing passwords to protect their data, as can be evidenced by the fact that “12345” and similarly easy-to-hack passwords remain popular choices for many netizens.