Password Managers. PHOTO: Cybercrime Magazine.

Hacking The Keys To Your Kingdom

Can password managers be trusted?

Paul John Spaulding

Northport, N.Y. – Feb. 2, 2023

Your passwords aren’t safe.

Government agencies and cybersecurity vendors recommend password managers to businesses and consumers. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) and KnowBe4, a leading security awareness training company, for instance, endorse the time-saving and protective apps.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, however, points out the biggest concern with vaulting login credentials: “If [an] attacker compromises the password manager, the attacker can possibly access and obtain all of the user’s passwords (and sites they belong to) at once.”

How password managers (don’t) work

A password manager is an app on your phone, tablet or computer that stores your passwords, so you don’t need to remember them. They use a digital “vault” encrypted by a master password that not only stores your login credentials, but also houses sensitive info such as your Social Security number and credit card details.

Cybercrime Radio: Theresa Payton, Former CIO at The White House

“Everything is hackable, nothing is infallible.”

A cybercrook who breaks into a password manager would not only gain access to your accounts, but would also be able to build an online profile of your habits. Even if you change your passwords, a cyber adversary still knows where you shop and bank online since each password is linked to a specific URL, allowing them to retrace your digital footprints and launch sophisticated phishing attacks against you.

A password manager stores the keys to your financial kingdom. The worst-case scenario is that your bank account, crypto account, and everything you own is emptied out, by a hacker, in a flash.

Who’s Hacked?

Most popular password managers have been breached, and some more than once.

Gen Digital, (previously Symantec / NortonLifeLock) informed its customers that hackers broke into Norton Password Manager last month and accessed 8,000 user accounts.

In December, LastPass, a password manager with 25 million users, confirmed that cybercriminals stole a backup copy of its customers’ password vaults. This is the second time that LastPass got hacked.

Some lesser-name password managers have been targeted as well. Australia-based Click Studios had its Passwordstate password manager breached and subsequently phished in Apr. 2021. Scarily, the company went silent long enough for some customers to feel abandoned.

Give password managers the finger?

A surge in passwordless authentication vendors comes as no surprise. They promise to do away with passwords and log you into your apps via biometrics and facial recognition.

“Passwords are for treehouses” according to Frank Abagnale, whose life was the genesis of Catch Me If You Can, a 2002 film by Steven Spielberg. Abagnale has spent over 40 years working with large organizations on their cybersecurity, including the FBI, and is now an advisor to Trusona, a company aiming to replace passwords in favor of using your phone as a passkey to access your accounts.

Trusona along with tech juggernauts Microsoft and Google are among many companies pursuing passwordless logins, but it may take years before this is adopted by the everyday consumer.

Now what?

Users who’ve been hacked across a few different password managers may view them as sinking ships, and while a physical password book can certainly be a lifeboat, it’s not the only one.

The New York Times says you can go passwordless right now on Android, iOS, and Windows. Password managers Dashlane and 1Password have also announced support.

For LastPass users, WIRED recommends immediately switching to a new password manager, changing all of your passwords, and enabling multi-factor authentication wherever possible.

All I know is, the next time I log in, I’m going passwordless.

Paul John Spaulding is GM Production at Cybercrime Magazine.