Six of the Biggest Problems with Password Managers
Passwords are riddled with issues, both in terms of security and usability. We've already discussed phishing and account takeover, but now we'll look at the problem from the user's perspective. Users frequently have to generate dozens of passwords for various accounts, which causes them to become frustrated and lose productivity when it comes to authentication.
There are two possible results from this. Either the user painstakingly creates new passwords for each account and then soon forgets them, or they use the same password across many sites, which is a serious security risk. or both. Even after a confirmed breach, over 65% of users still use the same passwords for several accounts and seldom update them.In the meantime, 25% of users change their passwords at least once every month due to forgetting them. Businesses lose money and effort due to these resets, which also annoy customers.
As an alternative to keeping track of all the different passwords used throughout the digital world, password managers have surfaced. Only those with the proper authorization can access the encrypted vault containing the passwords. Although it may seem advantageous to have a digital assistant remember your account passwords, password managers come with a number of drawbacks.
1. The Master Password
The issue is with passwords. The problem that password managers are supposed to solve is, how do you get into one in the first place? That would entail using your "master" password to log in. Essentially, all of the several passwords you use on the internet are consolidated into a single password.
Although this is more user-friendly, it still leaves open one of the main issues with password managers: the possibility of password compromise. However, this means that if the master password for your password manager is stolen, the hacker now has access to all of your accounts rather than just the one they were targeting. This was the case when hackers used email addresses and passwords from third-party breaches to undertake a credential stuffing assault against users of the well-known LastPass password manager.
2. Susceptibility to Hacking
Significant defects or coding errors can provide attackers access to a password manager and a user's passwords, just like they do with almost any other program or website. 2019 saw the discovery of security holes that allowed credentials to be stolen from a computer's memory in five of the most popular password managers. A more recent instance took advantage of a particular flaw in the password management software itself and used it as a springboard to target PCs that had that program installed.
Using popular hacking techniques like man-in-the-middle attacks, session token theft, or keylogging malware installation, hackers can also gain unauthorized access to password managers. However, the issue with password managers is that if an attacker has access, they may use them to target every aspect of your online identity.
3. Locked Out Recovery
One of the issues with password managers is that you need a master password in addition to secure authentication in order to access your account. This leads to a few problems. Firstly, the user will be locked out of their password manager indefinitely if they fully forget their master password, which prevents them from accessing their email or other recovery accounts.
The second problem is that an attacker with access to the compromised email account can simply exploit the recovery process, which involves providing a link to the account. By altering your master password, they can escalate the attack and take control of the account by changing it. They will also be able to access your passwords for all other accounts.
4. Phishing
Attackers can obtain password manager credentials in the same way that they use phishing attacks to obtain identity credentials for any other authentication procedure. One of the main issues with password managers, though, is that hackers will probably concentrate a lot of effort on phishing your master password because they are aware of how important the data—all of your passwords—is stored inside. Attackers have created ways around these security measures for accounts that use two-factor authentication as well.
Additionally, password managers offer the option to enter your information as this security researcher's details even though they shouldn't automatically fill out authentication forms on phony phishing websites. One of the main purported advantages of password managers is thus disproved.
5. Insecure Password Usage
One of the issues with password managers is that they might still be limited to managing passwords that were never meant to be secure in the first place. Research indicates that only approximately 20% of users utilize Chrome's secure password generator and roughly 50% use the generator of their third-party password manager, despite the fact that many password managers provide the ability to create secure passwords for websites.
This indicates that although the passwords are stored in a password manager, they are still vulnerable to the common weaknesses of passwords generated by humans, such as dictionary words that are simple to guess, being too short, omitting symbols or numbers, and being used on many websites. via employing weak passwords, any of these accounts can be compromised via phishing, MitM, credential stuffing, and other credential assaults.
6. Password Manager Safety
The "zero-knowledge" technique that encrypts passwords before they leave your device is touted by the majority of password managers. The password provider is unable to decrypt passwords since they are kept in an encrypted format, often AES-256. This implies that usable client data shouldn't be revealed by a password manager server breach. However, a few years ago, a password manager called OneLogin was the target of an assault that allowed hackers to decrypt and access client data.
Furthermore, data encryption won't assist a user if a hacker manages to get past their authentication procedures, just like in the majority of other attacks that target access points. Password managers still have the same drawbacks as any other account authentication method, and users will still be fully exposed across all of their accounts.