Swiss researchers find password manager security gaps

+ Get the most important news from Switzerland in your inbox

Anyone who regularly uses online services quickly has hundreds of passwords, wrote Samuel Schlaefli for ETH News on Monday. It is difficult to memorise them all. Millions of people therefore rely on the help of a password manager.

All other passwords are stored behind a master password in a so-called vault. This simplifies access to sensitive data, such as bank accounts or online payment methods like credit cards. This makes password managers a likely target for hacker attacks, said Kenneth Paterson, computer science professor at ETH Zurich.

Providers of password managers promise absolute security: the data is so well encrypted that even they have no access to it. Researchers at ETH Zurich have now been able to show that the encrypted data is not unreadable.

“The promise is that even if someone can access the server, this does not pose a security risk for customers,” said Matilda Backendal from the Università della Svizzera italiana in Lugano. “We have now been able to show that this is not true.”

Backendal conducted the study together with Matteo Scarlata, Kenneth Paterson and Giovanni Torrisi from the Applied Cryptography Research Group at the Institute for Information Security at ETH Zurich.

An ultimatum of ninety days

The research team was able to demonstrate attacks on the password managers of three popular providers – Bitwarden, Lastpass and Dashlane – whose services are used by around 60 million people worldwide. “We were surprised at how big the security gaps are,” said Paterson.

The research team gave the providers of the hacked systems 90 days to close the security gaps. The manufacturers had shown themselves to be co-operative, although not all were equally quick to fix the security gaps.

On Monday, researchers presented concrete proposals for better protection of the systems.

Adapted from German by AI/mga