Security experts recommend using complex, random, and unique passwords for every online account, but remembering them all is a challenging task. That’s why so many users rely on password managers: These encrypted vaults, accessed by a single master password or PIN, store and autofill credentials.

However, researchers at the University of York in England have shown that some commercial password managers may not be a watertight way to ensure cybersecurity. After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password.

The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.

“Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information,” says Siamak Shahandashti, PhD, of the Department of Computer Science at the University of York and lead author of the study. “Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial. Our study shows that a phishing attack from a malicious app is highly feasible—if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success.”

“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”

Other Vulnerabilities

The researchers also discovered some password managers did not have a limit on the number of times a master PIN or password could be entered. This means that if hackers had access to an individual’s device they could launch a “brute force” attack, guessing a four-digit PIN in around 2.5 hours. 

As well as these new vulnerabilities, the researchers also drew up a list of previously disclosed issues identified in a previous study and tested whether they had been resolved. They found that while the most serious of these vulnerabilities had been fixed, many had not been addressed. 

“New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors,” says lead author Michael Carr. “Some were fixed immediately while others were deemed low priority. More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and useable option. While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store.”