Over the past few months, several leading password managers have been victims of hacking and data breaches. For instance, LastPass, which experienced a massive breach last year, recently announced again that the company’s password vault has been stolen. And thanks to the bad practice of reusing passwords too often, Norton LifeLock also reported compromises to its password manager.
Why are password managers so attractive to cybercriminals? It’s simple. Password managers hold the “keys to the castle.” If a password manager gets compromised, attackers gain access to all stored passwords at once, which means they can walk into any secured environment or impersonate any user, circumventing all cybersecurity defenses. The market for password managers is growing rapidly, and attackers will target anything that can get more bang for their buck.
Attractive Targets
Some of the most common ways password managers are being hacked include:
1. Malware-Targeting Password Managers
Malware programs have been targeting password managers for the last several years. In 2014, malware called Citadel, designed to target password managers, became notorious for having compromised one in 500 PCs worldwide. However, back then, only a small number of users used a password manager. Today, the average person needs to remember upward of 100 passwords, which is why the market for password managers and the malware market for targeting them are both growing.
For example, the attack on the Solana blockchain last year that resulted in a $7 million heist was caused by malware that targeted crypto wallets and password managers called Luca Stealer; another Trojan, dubbed StealC, specifically targets browser extensions and authenticators by password managers; password stealers targeting Web browsers have also been around for decades.
2. Phishing Attacks Against Password Managers
Phishing attacks targeting password managers are on the rise. For example, in January 2023, researchers came across Google Ads that were redirecting victims to fake Bitwarden and 1Password pages, trying to steal their master credentials. What’s more, customers of password managers such as LastPass, who have already had their credentials exposed in an earlier data leak, are at an increased risk of scams and phishing attacks. Attackers know their email addresses, phone numbers, and the online services they use, and therefore they can be easily targeted using a variety of phishing techniques.
3. Software Vulnerabilities in Password Managers
Just like all other forms of software, password managers are prone to vulnerabilities. Recently, researchers reported a vulnerability in KeePass that could allow attackers to export all usernames and passwords in clear text. Earlier this year, Google discovered that popular password managers such as Dashlane, Bitwarden, and Apple’s Safari browser password manager can all be manipulated into auto-filling passwords on untrusted pages.
4. Credential-Stuffing Attacks Using Leaked Credentials
Credential-stuffing attacks are becoming increasingly common. This is a type of attack where threat actors leverage previously leaked credentials (nearly 25 billion of these are for sale on underground marketplaces) to gain unauthorized access into websites, applications, and networks. Most password managers have a “master password” to access all credentials, and since 65% of users reuse their passwords across different websites, it’s possible that attackers use brute-force techniques or make educated guesses on the possible password combinations. Late last year, LastPass confirmed a credential-stuffing attack against some of its users.
Do Password Managers Make Sense in 2023?
The benefits of having a password manager far outweigh the risks. Password managers help mitigate two of the biggest risks for users and businesses — weak credentials and password reuse. Yes, attacks on password managers are on the rise, but the probability of a business being attacked due to poor credentials or password reuse is much higher than the likelihood of a password manager getting hacked.
There are a number of things organizations can do to mitigate the risks of password managers:
- Security-train employees: Most password-stealing malware gets installed when users get phished or social engineered — users download, click, or open something they shouldn’t have. This is why it is extremely important for organizations to instill secure behavior in employees (alertness, strong passwords, safe browsing, responsible use of social media, not trusting anything at face value, etc.) so they don’t fall victim to a phishing attack.
- Patch regularly: Make sure you patch all your software and systems regularly. Unpatched software is the second-biggest reason password-stealing Trojans get installed on computers. Ensure you check and install all critical patches, especially the ones that are featured on CISA’s Known Exploited Vulnerability Catalog.
- Use phishing-resistant multifactor authentication: Use phishing-resistant MFA or passwordless options wherever you can. Not just to protect the master password on your password manager, but also on all of your critical websites, applications, and services.
- Check password-dump websites for leaked credentials: Check online leaked-password websites (such as haveibeenpwned.com) or take breach password tests to ascertain if any of your credentials are floating around in online databases.
- Use a good password manager: Use password managers that deploy strong encryption; that follow secure development life cycle (SDLC) programming; are responsive, transparent, and responsible to their customers; and that promote security features such as MFA, passwordless options, contextual features (user gets locked out if it’s an unknown device or location), and phishing-detection capabilities.
Are password managers foolproof? Nope. But nothing is these days. The operating systems we use, the devices and applications we use — everything is hackable. Password managers come with some great benefits — they can tell you if your password is strong or not, they prevent you from reusing your password, some can stop you from entering credentials into bogus URLs, and some will even alert you when a website gets compromised.
As long as organizations follow the above tips and best practices, password managers can prove to be a vital tool in the defense arsenal of any organization.
Source: www.darkreading.com