Password Manager Hacked
Honorato Overmyer
Six of the most popular password managers have been called out by security researchers who uncovered a major vulnerability that impacts the Android autofill function. The AutoSpill vulnerability enables hackers to bypass the security mechanisms protecting the autofill functionality on Android devices, exposing credentials to the host app calling for them.
A spokesperson for Enpass told me that Ankit Gangwal from the research team at the Indian Institutes of Information Technology reached out to us in June 2022 about the AutoSpill vulnerability in the Android Autofill framework. That vulnerability was subsequently patched in Enpass 6.8.3, released September 29, 2022.
It's becoming increasingly clear that password managers are not the impenetrable fortresses we once thought they were. In fact, the recent string of breaches suggests that relying on passwords, even within these managers, might be akin to building our digital security on sand.
In October 2022, LastPass experienced another severe security breach when hackers infiltrated the account of a senior DevOps engineer. The breach went undetected for a little under three months. It was initially underplayed when announced, but was far more extensive than disclosed. Attackers gained access to customer vault data, including emails, phone numbers, credentials, metadata, and third-party integration secrets.
In January 2023, Norton LifeLock warned over 6,000 customers of a breach stemming from credential stuffing attacks. Utilizing usernames and passwords likely sourced from the dark web, the attackers successfully accessed customer accounts, potentially compromising stored logins in the password manager. Norton's response included resetting passwords and advocating for two-factor authentication, which leaves much to be desired.
In September 2023, 1Password detected suspicious activities linked to Okta's support system. Although no user data was compromised, the incident highlighted the necessity of constant vigilance and robust security measures in the face of evolving cyber threats.
In 2020, researchers from the University of York put popular password managers under the microscope. Their findings were unsettling, to say the least. Vulnerable to phishing attacks, the absence of login attempt limitations, and the risk of credentials being exposed as clear text from the clipboard were just some of the red flags raised. This study was a wakeup call, highlighting the inherent flaws in relying on password managers.
The recurring theme in all these incidents is the inherent weakness of passwords. No matter how sophisticated the manager, the basic premise of using passwords is flawed. Passwords, by their very nature, are susceptible to a range of attacks, from brute force attacks to phishing scams. With cyber attacks growing in strength, including sophisticated social engineering tactics and advanced malware, this further exposes the frailty and insecurity of passwords.
The common advice given to users is to create complex, unique passwords for each account, but this is a burden on them. This leads to the prevalent, and risky, practice of reusing simple passwords across multiple websites. All of this highlights the pressing need to shift towards a more resilient and user-friendly method of authentication.
Passwordless MFA does away with passwords altogether, eliminating the primary target of most cyberattacks. Instead, it relies on multiple layers of verification, making unauthorized access exponentially more difficult.
Users no longer need to reset passwords or call the IT help desk because they got locked out. The access to application is faster and annoying one-time passwords and push notifications are done away with.
Beyond Identity makes implementing passwordless MFA straightforward and efficient. Our approach uses continuous authentication and is a seamless blend of convenience and robust security, keeping things smooth yet secure.
64591212e2