Vulnerabilities Found In Multiple Password Managers

Common advice to web users is to always use a unique password for each online account. By doing so, all of your accounts aren’t compromised if someone else learns one of your passwords. The main complaint that accompanies this advice, however, is that it’s impossible to remember dozens of passwords and which account they each go to. That’s why password managers have become so popular recently. A password manager stores your log-in credentials for any site and encrypts them. Users are able to access their passwords, or have the password manager log-in for them, by using one master password. As Zeljka Zorz reports at Help Net Security, however, this introduces more problems if the password manager itself is insecure.

A group of researchers at the University of California-Berkley set-out to test some of the most popular password managers available to find any vulnerabilities that would lead to a user’s log-in credentials being compromised. The five managers tested, LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword, all contained some form of vulnerability.

The vulnerabilities were found in different features of the products and the root causes of each also were different for each vulnerability.

After the flaws were reported, however, all but NeedMyPassword responded and fixed the issues within a few days. It should also be noted that the vulnerabilities found by the researchers have no evidence of being exploited in the wild. This means that while the potential for an attack existed, no attackers had found it before it was discovered and patched.

That’s an important characteristic of any application. While vulnerabilities are unavoidable, being proactive in finding them and fixing them before they’re exploited is vital.

For users, the news that password managers contain vulnerabilities is no reason to avoid them. It is important to keep track of the news of potential attacks and regularly change your master password, however.

Many attacks that compromise online accounts stem from malware that’s infected your device. For help recovering from an attack, cleaning your system or creating a more secure environment, call Geek Rescue at 918-369-4335.