In these hyper-connected times, many of us are logged on to several online services throughout the day. In a 2014 report on the use of mobile apps, Nielsen researchers found that the average smartphone owner uses about 26 apps per month. Considering the most popular apps – from social networks like Facebook to email applications like Gmail to even banking apps – frequently are used throughout the day, it’s reasonable to assume that most people are regularly connecting to multiple online services every single day.
While these apps typically remember passwords, every now and then an update means recalling multiple passwords across multiple accounts. It’s a privacy challenge we all face: How do we keep our accounts protected without constantly forgetting — and having to reset — our passwords?
In response, a number of firms have launched password managers that encrypt and store a customer’s various passwords, allowing access to them upon logging in to a single, protected account.
Password management vendors, aware that security is an obvious concern, assure their customers that their information is secured with protections that are “state-of-the-art” or “military-grade.” But recently, researchers at TeamSIK have taken issue with these claims, finding a variety of alarming vulnerabilities in the most widely used password manager apps available on the Google Play Store.
The security issues that TeamSIK reported with password managers included:
- Implementation flaws leaving master keys exposed in plain text or hard-coded in to the program
- Vulnerability to malware that extracts passwords in plain text
- Vulnerability to residue attacks
- Failure to clean up the clipboard after it’s used for password entry
- Poorly secured additional features, such as auto-fill capabilities and dedicated browsers
After TeamSIK published its report, all of the mentioned vendors fixed their documented vulnerabilities. But the cyber security industry realized the event had far-reaching implications.
While the kinds of security flaws that TeamSIK discovered certainly challenge trust in password managers, analysts have pointed out that the alternatives are not necessarily preferable. When consumers face a security obstacle that complicates access, they often take an unsecure route to circumvent the issue. In the case of password security, this means using the same password for every service, or creating easy-to-remember (and thus easy-to-hack) passwords that present even greater risks.
Our suggestion? If you use password management apps, continue using them (and if you don’t use them, start). Simply ensure that you’re always using the most updated version of the app. Developers are quick to fix bugs that come to their attention — but that doesn’t help anyone using an outdated version of the program.
At Lunarline, we can’t fix the password managers you use day in and day out, but we can help your workforce understand and adopt good privacy practices. For information on us and the services we provide, contact one of our experts today.