Back
Technology

Study Uncovers Major Security Flaws in Popular Password Managers

Generated on: Last updated: 1 sources
View source

Major Security Flaws Discovered in Top Password Managers: Bitwarden, LastPass, and Dashlane

A study conducted by researchers from ETH Zurich and Università della Svizzera italiana has identified significant security vulnerabilities in three widely used cloud-based password managers: Bitwarden, LastPass, and Dashlane. These services collectively serve approximately 60 million users.

Widespread Vulnerabilities Uncovered

Researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane. The team created their own malicious servers to simulate a hacked environment. The attacks exploited the fundamental assumption that servers could behave maliciously and deviate from expected client-server interaction.

The attacks ranged from compromising specific user vaults to complete access and modification of passwords, and even compromising all vaults within an organization. These breaches could be achieved through routine user interactions like logging in, viewing passwords, or synchronizing data.

'Zero-Knowledge' Promise Challenged

Many password manager providers promote "zero-knowledge encryption," assuring users that even the providers cannot access stored, encrypted data. The study critically showed that this promise was not upheld. Encrypted data could be compromised if a server was accessed maliciously, directly challenging the "zero-knowledge" claim.

Behind the Vulnerabilities: Complexity and Outdated Systems

The study was conducted by Matilda Backendal, Matteo Scarlata, Kenneth Paterson, and Giovanni Torrisi. Kenneth Paterson, a Professor of Computer Science at ETH Zurich, expressed surprise at the severity of the vulnerabilities, noting that end-to-end encryption in commercial services had not been thoroughly examined.

Matteo Scarlata, a PhD student, attributed some vulnerabilities to complex code architecture. Providers often prioritize user-friendly features like password recovery and account sharing, which, while convenient, significantly increase the attack surface for hackers.

Provider Response and Path Forward

Paterson's team informed the providers, who were given 90 days to address the issues. While most were cooperative, some were slower to implement fixes. Discussions revealed that providers are often hesitant to update systems due to concerns about users losing access to data. Alarmingly, some services are still using outdated cryptographic technologies from the 1990s.

Recommendations for Providers

Researchers suggest a two-pronged approach for the industry:

  • Updating systems for new customers with modern cryptographic standards.
  • Offering existing users the option to migrate to more secure systems.

Recommendations for Users

For individual users, Professor Paterson recommends choosing password managers that are:

  • Transparent about security vulnerabilities.
  • Undergo external audits.
  • Enable end-to-end encryption by default.

Paterson emphasized the goal of encouraging the industry to communicate more clearly and precisely about the security guarantees their solutions offer.