Password managers offer less protection than promised

People who regularly use online services have between one hundred and two hundred passwords. Very few people can remember them. Password managers are therefore a great help: they grant access to all other passwords with a single master password. Most password managers are cloud-based.

This has the great advantage that you can access the passwords from different devices and also share them with friends or family members. The most important feature of such managers is security. After all, sensitive data is stored in their encrypted storage area - the so-called vault. This also includes access data to bank accounts and credit cards.

Most manufacturers therefore advertise their products with the promise of «zero knowledge encryption». This means they promise that the stored passwords are encrypted and that the manufacturers themselves have «zero knowledge» and no access to them. «The promise is that even if someone can access the server, this poses no security risk to customers because the data is encrypted and therefore unreadable,» explains Matilda Backendal. «We have now been able to show that this is not true.»

Backendal conducted the study together with Matteo Scarlata, Kenneth Paterson and Giovanni Torrisi from the Applied Cryptography Research Group at the Institute for Information Security at ETH Zurich. Backendal and Torrisi are currently working at the Università della Svizzera italiana in Lugano.

Full access to passwords

The team took a closer look at the security architecture of three popular password manager providers: Bitwarden, Lastpass and Dashlane. These have around 60 million users worldwide and a market share of 23 percent. The researchers demonstrated 12 attacks on Bitwarden, 7 on Lastpass and 6 on Dashlane. To do this, they set up their own servers, which behave in the same way as a hacked password manager server.

They assumed that the servers behave maliciously after an attack (malicious server threat model) and arbitrarily deviate from the expected behavior when interacting with clients, such as a web browser.

Their attacks ranged from integrity breaches of targeted user vaults to a complete compromise of all vaults of an organization using the service. In most cases, the researchers were able to gain access to the passwords - and even manipulate them.

To do this, they needed nothing more than simple interactions that users or their browsers routinely perform when using the password manager, such as logging into the account, opening the vault, displaying passwords or synchronizing data. «Due to the large amount of sensitive data, password managers are likely targets for skilled attackers who are able to penetrate the servers and launch attacks from there,» says Kenneth Paterson, computer science professor at ETH Zurich. Such attacks have already occurred in the past.

Confusing codes

«We were surprised at how big the security gaps were,» says Paterson. His team had already discovered similar gaps in other cloud-based services, but assumed that the security standard was significantly higher due to the critical data in password managers. «As end-to-end encryption is still relatively new for commercial services, it seems that no one had ever looked at this in detail.»

Matteo Scarlata, a doctoral student in the Applied Cryptography research group, has carried out some of the attacks. When he started to analyze the code of the various managers, he quickly came across some very bizarre code architectures.

The companies are trying to offer their customers the most user-friendly service possible, for example the option of recovering passwords or sharing their own account with family members, he says.

«This makes the codes more complex and confusing, and the potential points of attack for hackers increase,» explains Scarlata. «Such attacks don't require particularly powerful computers and servers, just small programs that can be used to simulate a false identity for the server.»

As is usual with «friendly» attacks, Paterson's team contacted the providers of the affected systems before publishing the findings. They had 90 days to close the security gaps. «The vendors were mostly cooperative and grateful, but not all were equally quick to fix the vulnerabilities,» says Paterson.

The exchange with the developers of password managers has shown that they are very reluctant to update their systems because they are afraid that their customers could lose access to their passwords and other personal data. In addition to millions of private individuals, customers also include thousands of companies that entrust their entire password management to the providers. You can imagine what would happen if they suddenly no longer had access to their data. That's why many providers are sticking with cryptographic technologies from the 1990s, even though they are long outdated, says Scarlata.

Bringing systems up to date with the latest cryptography

The researchers have now made concrete suggestions as to how the systems could be better secured. Scarlata suggests updating the cryptographic systems for new customers. Existing customers could then choose for themselves whether they want to migrate to the new, more secure system and transfer their passwords to it or whether they want to stay with the old system - in full knowledge of the existing security gaps.

And what can the millions of people who rely on their password manager every day to benefit from online services do? Paterson advises choosing a manager that is open about potential security vulnerabilities, is externally audited and at least has end-to-end encryption switched on by default.

«With our work, we want to ensure that something changes in this industry,» says Paterson. «Password manager providers should not make false security promises to customers, but should communicate more clearly and precisely what security guarantees their solutions actually offer.»

Source: ETH