Popular password managers can get hacked: Should you keep using them?
Some password managers have improved their security since these flaws were discovered.
It's ironic, isn't it? Popular password managers like 1Password and LastPass were created to help users increase their internet security, but researchers have found security flaws in these apps that counteract their core purpose.
Password managers allow users to generate strong passwords and store them in a "secure" vault with one master password or PIN. Five of those password managers -- Dashlane, Keeper, LastPass, 1Password and RoboForm -- were analyzed in an investigation conducted by Michael Carr and Siamak F. Shashandashti of England's University of York.
- Critical Windows 10 security flaw discovered by NSA: What to do now
- Have you noticed a surge in phishing emails since the coronavirus outbreak? We have, too!
- Fake COVID-19 apps are spreading malware: How to protect your PC
Unfortunately, as Tom's Guide reported, the research duo found that all five password managers had security vulnerabilities that could allow hackers to swipe users' passwords from Android phones and Chrome extensions.
"After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password," researchers at the University of York wrote in a report.
In other words, researchers were able to trick password managers into relinquishing users' passwords by posing as a fake app. This security flaw is caused by weak criteria for vetting the legitimacy of apps.
Some password managers fared better than others but researchers concluded that Dashlane was the worst. The app was vulnerable to seven different security flaws the researchers tested. 1Password, on the other hand, had the fewest flaws -- "just" five.
DashLane defended itself against the research study, refuting a section that accused the company of not locking user accounts after a set number of incorrect PIN entries. The study cited concerns over brute-force attacks -- a hacking method that activates up to 10,000 PIN attempts until there's a match.
Stay in the know with Laptop Mag
Get our in-depth reviews, helpful tips, great deals, and the biggest news stories delivered to your inbox.
"We do not enable the PIN code by default or recommend using it, although some of our customers prefer to use it. It is less secure than a proper master password, which we do recommend," DashLane told Tom's Guide.
DashLane isn't the only app to speak out against the study. All five password managers told Tom's Guide that the research study was conducted two to three years ago, and many of the security flaws described in the paper have since been fixed.
At this point, the critical question remains: should you continue using a password manager? According to researchers, the answer -- surprisingly -- is yes.
"We would still advise individuals and companies to use them as they remain a more secure and usable option," the University of York news posting concluded. "While it's not impossible, hackers would have to launch a fairly sophisticated attack to access the [password managers'] information they store."
Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!