4 Reasons Password Managers Are Not Safe, And What to Use Instead
May 23, 2023
Can any password manager guarantee 100% account safety? History suggests not. From Norton LifeLock and Passwordstate to the “catastrophic” hack on LastPass, most password manager providers have experienced a security breach.
More password manager users are aware of this fact. And, although pessimistic, the point of view that “it’s only a matter of time” before a breach happens is not wrong. The industry wouldn’t be so eager to move to passwordless authentication if it were.
But while passwordless authentication is not (yet) possible, you can take action to secure your passwords. Here’s what you need to know.
Password Managers: Better Than Your Memory, But Still Hackable
When we rely on remembering passwords, we tend to use memorable ones instead of strong passwords. After all, who can remember multiple combinations of letters, numbers, and special characters? Password managers are a much better option. However, that doesn’t mean they are foolproof.
Password managers might make you more likely to use strong passwords, but they also create a single point of failure. If a threat actor manages to compromise your password manager, they can gain access to all of your passwords at once. Not a nice thought.
So how do password manager hacks happen? Here are four ways.
Credential stuffing attacks
Password managers use master passwords to protect access to a password vault. This password vault is used to store passwords.
If a threat actor gets access to your master password, your password vault (and the passwords stored in it) is going to become exposed. As a result, you'd think that most people would choose a master password that is strong, i.e., unique, long, and preferably complex. That’s certainly the recommendation.
Unfortunately, just as the vast majority of people choose weak passwords most of the time, many password manager users choose easy-to-crack master passwords. For example, in a 2022 survey, 25% of password manager users said they reuse their master password for other account logins (up from 19% in 2021).
This means that unless a password vault is protected by more than just a master password, a data breach somewhere else could give attackers access to a user’s entire digital life.
This is what happened to some 8,000 Norton Password Manager customers. Late last year, an unauthorized hacker tried to log in to Norton customer accounts using a list of credentials acquired from another source. Users that had reused passwords saw their accounts breached.
The logical solution is to use multi-factor authentication (MFA). But as we discuss in another blog post, MFA can also be bypassed.
Even complex passwords can be compromised. If an attacker can trick a victim into downloading a type of malware known as a “Trojan horse program,” they can steal their unique passwords.
One of the earliest well-known trojans targeting password managers was the Citadel trojan. This trojan keylogged master passwords as infected users logged into their password managers in 2014.
As more people turn to password managers to manage their credentials, threat actors create new trojans designed to target password managers.
Recent examples include:
Arkei Infostealer, which targets the Treznor password manager.
Racoon Stealer, which targets 1Password and Bitwarden.
Stealc, which targets 13 different password managers.
Luca Stealer trojan, which targets 17(!) password managers.
In all cases, threat actors steal passwords one by one rather than in one go.
While most malware is delivered through social engineering, it can also happen through vulnerable software. In 2021, cybercriminals compromised the update mechanism of Passwordstate, an enterprise password manager, which led to some users downloading the info-stealing malware Moserpass.
Cybercriminals can also target password manager users with phishing campaigns that attempt to steal their master passwords.
The reward here can be so big that scammers are actually paying for advertisements that show their social engineering campaigns to as many people as possible.
For example, earlier this year, threat actors used malicious Google ads to bring users searching for 1Password and Bitwarden’s web vaults on Google to spoofed phishing sites. These phishing sites were so well made they were hard to tell apart from the official password manager login pages. At least some users fell for these fake sites, inadvertently revealing their master passwords to bad actors.
It’s not just master passwords that are vulnerable to phishing attacks. Cybercriminals also try to steal passwords to specific accounts by targeting victims with links to fake versions of websites like popular e-commerce stores or social media sites.
Technically, if a user has the auto-login or auto-fill-in feature enabled (a common functionality in many password managers), these attacks should not work—the password manager will not autofill a user’s passwords on a bogus site. However, in 2020, cybersecurity researchers found a way to circumvent this security feature.
What happens more often is that users don’t realize the site is fake, assume the password manager has temporarily stopped working, and copy and paste their password into the malicious site.
Like all other software, password managers and the sites and services they use to deliver their service can also have vulnerabilities.
For example, a few years back, researchers found that several popular password managers, including Dashlane, LastPass, and 1Password, hosted vulnerabilities in their software. In one instance, the master passwords of Windows PC users were stored in RAM in plaintext format.
The researchers concluded that "It is evident that attempts are made to scrub and sensitive memory in all password managers. However, each password manager fails in implementing proper secrets sanitization for various reasons."
In another recent example, a security researcher demonstrated a proof-of-concept attack on KeePass, a highly customizable open-source password manager. In it, he showed how KeePass’s system could be abused to exfiltrate users’ passwords in plain text. The National Institute of Standards & Technology has added the attack to its vulnerability database (CVE-2023-24055), although the KeePass founder has disputed its severity. The vulnerability has since been modified and is undergoing reanalysis.
IronVest: A More Secure Password Manager Alternative
More secure than even the best password managers, IronVest protects your online accounts wherever you go online.
Like a password manager, IronVest lets users import, create (including with a password generator), secure, and autofill their passwords on any online account or app. However, unlike a password manager, IronVest doesn’t rely on a master password.
Instead, IronVest uses zero-knowledge, decentralized biometric authentication technology to keep unauthorized individuals out of user accounts. This means that even if someone gets a hold of your credentials, they still could not log into any of your accounts because they could not prove that they are you.
On the other hand, logging into accounts is easy for legitimate users—IronVest auto-fills credentials with just your face biometrics right in the browser. Not only is this safer, but it also circumvents the common problem of password manager users forgetting their master passwords and ending up locked out of their accounts.
Another big difference between a typical password manager and IronVest is that our solution doesn’t just authenticate you once. Since most sensitive actions happen after initial login, we verify your identity even after you sign-in, eliminating the risk of post-login attacks.
Our benefits don’t stop there.
We also offer stronger two-factor authentication (2FA) protection via our security virtual phone numbers, which are routed through IronVest, with 2FA codes revealed only after your identity is proven via biometrics. This means that your 2FA codes are tokenized and can’t be stolen through attacks like social engineering or sim swap.
IronVest also allows you to keep your personal information safe with masked emails, phone numbers, and credit cards, and we also automatically block hidden web trackers that secretly collect your data.
Getting started is simple. Download our web browser extension and mobile app (compatible with iPhone and Android phones).