Which Password Managers Have Been Hacked?
Of the many ‘silver bullets’ out there looking to finally slay the password, none have been able to succeed. What this means is that passwords are here to stay, at least for the time being, and your best shot at both generating unique and cryptographically secure passwords and retrieving them whenever they’re needed is with a password manager. Which Password Managers Have Been Hacked?
This is what security experts have been advocating for years because these tools create a safe environment in which users can store all of their credentials and financial data without the hassle of remembering each and every username and password. But how do you pick the best password management service?
Vulnerability of Password Manager Add-onsOne of the key pieces of advice that security experts (ourselves included) give is to take a look at whether the password management service has been hacked before or not, as well as whether it ‘features’ any security vulnerabilities that white-hat hackers have shared with the service providers. If the password management service has patched any vulnerabilities, then it could be a good choice.
To help make that decision a little easier, let’s take a look at the hacking history of some password managers. The aim isn’t a complete list, as you’ll see, but we have instead explored the most important hacks and the security vulnerabilities over years.
LastPass, My1Login, NeedMyPassword, PasswordBox, and RoboForm: Researchers at the University of California Berkeley discovered a number of vulnerabilities in a handful of password managers. “In four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in their paper.
RoboForm: IT security consultant and tech enthusiast Paul Moore discovered one critical vulnerability in and a privacy loophole in the password management service that could allow attackers and prying eyes to obtain users’ personal data, including stored login credentials of various websites and even card payment details.
KeePass: When this program runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce (a hacking tool) decrypts the entire database and writes it to a file that the hacker can easily access. In theory this kind of hack makes all password managers vulnerable.
LastPass: An intrusion to the company’s servers was detected. While encrypted user data wasn’t stolen, cyber criminals stole LastPass account email addresses, password reminders, server per-user salts, and authentication hashes.
MyPasswords, Informaticore, LastPass, Keeper, F-Secure Key, Dashlane, Keepsafe, Avast Passwords, and 1Password: This was a busy year in terms of password management vulnerabilities. TeamSIK (Security Is Key), a group of people interested in IT security from the Fraunhofer Institute for Secure Information Technology, discovered serious security flaws in the most popular password management apps developed for the Android platform.
LastPass: Google Project Zero Hacker Tavis Ormandy discovered a critical zero-day flaw that allowed any remote attacker to compromise accounts completely.
LastPass: Tavis Ormandy discovered a vulnerability in its browser plugins, which LastPass called a “major architectural problem“. The password management service advised users to avoid using its browser plugins while it dealt with the issue.
OneLogin: An attacker had “obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S.”
Keeper: Tavis Ormandy discovered that the service was exposing passwords to unreliable web pages.
Does This Mean We Should Stop Using Password Managers?
No, not at all. The recent hacks and security vulnerabilities found in these services underscore one important aspect in security: no piece of software is able to truly offer more than 99% security. Reaching 100% security is impossible with any kind of software because every piece of code will have an Achilles heel somewhere that makes it vulnerable.
The question is different in this case: what does the team of developers do to protect user data, and what attack scenarios did they have in mind when they coded the software? Of course, if a service is static and the developers don’t keep their security up to date, then it can easily be hacked.
How user data is protected should be the main consideration when picking a password manager. Other features have their importance, but this is something you should always consider before making the final decision. For example, how do the developers communicate the bad news to their users? Transparency in communication is also another important aspect.
Free password managers are great utilities to start with, just be sure to keep an eye on the updates. Check the update history of the software and if there isn’t much to check on, then it can be considered a sign to move on to the next one. A lot can happen in just a few weeks in the security industry, so the bare minimum on your list of expectations should be up-to-date software and a quick response time to any security breaches or attacks. Otherwise, you could end up vulnerable to cyber attacks, which isn’t the opposite of what you wanted in the first place.
The New Hot Job: Real-Time Password Manager
Who couldn’t use 24/7 live human help to recall how to log in?
People often wonder how the unemployment rate can remain so low in an era when manufacturing jobs have all but disappeared. Where are all these new jobs coming from?
For starters, it’s clear that at least 41.7 million Americans now work as baristas. And nearly that many work at least part-time as stand-up comics. (Research has determined that many of these are the same people.) And it is a little-known fact that an astonishing 17.1 million Americans now earn their living as personal password managers.
That’s right—these are people who literally keep track of their clients’ passwords, change the passwords when they become vulnerable and provide 24-hour live assistance in retrieving lost and forgotten passwords. If you haven’t heard of this, you’re obviously a late adopter. A late, late adopter.
“Passwords are hard to remember, and if you can’t punch in your ATM password while you’re hiking through the Hindu Kush you could find yourself in big trouble,” says Vixen Katmandu, founder of OMG Really Awesome Human Passwords of Brooklyn, now positioned to be the next Facebook or at least the next WeWork. “That’s why hiring a real, live human being to manage all your passwords for you 24/7 makes so much sense.”
A relieved and only slightly embarrassed public agrees. “I was using strong passwords like “ArtilleryPumasShamed689FastidiouslyBankruptCornMuffins,” says Bruno Alteari, one of OMG Really Awesome Human Password’s first customers. “But then I’d forget whether ‘puma’ was capitalized, or if it was 689 or 869, or corn muffins or blueberry muffins. And then I’d get locked out of my email account for three days while sailing across the Straits of Magellan. Now I just send a text to somebody named Tron, and my problems are solved.”
With human password managers, consumers no longer have to write their passwords on tiny strips of paper and hide them in their shoes. Sure, sophisticated types use garden-variety online apps such as 1Password and Last Pass to simply store their passwords, seemingly bypassing the need for a living, breathing password manager. But those apps won’t create millions of U.S. jobs—nor bail you out of real trouble.
“What if you’re being detained in a Manila jail and need cash fast, and you can’t remember the password you need to access your password manager, and there’s no Internet connection anyway,” asks Bree Shostakovich, CEO of Like Seriously 24/7 Human Passwords, possibly the next Uber or at least Tesla. “Want to find yourself in that situation?”
Human password managers are not, as you might think, dimwit shut-ins armed with voluminous notebooks. Rather, they are ordinary people with excellent memories who earn a good salary keeping clients’ passwords lodged in their heads where no hacker can get to them.
The average person is not going to remember ‘efghjythtq- 439876NQ’,” says Didier du Vieux Croque-Monsieur Avec Salade Verte, a minor-league hockey coach who moonlights as a password manager. “But I will. EZ-PZ.”
Despite the genius of the human password system, some people obstinately continue to use readily hackable passwords like “LSU SUCKS” and “666.”
“It defeats the whole purpose of the exercise,” says another human password manager. “But I get paid the same fee no matter what password they use.”
Critics complain that an economy dependent on so many unskilled jobs is headed for disaster. The hockey coach scoffs at that notion.
“Where does it say that being able to perform open-heart surgery is any harder than remembering a couple hundred passwords like ‘7%65ETHIOPIA 5#@ArfArf_HEREKITTY-KITTY754#@OMAHA!OMAHA!!’” asks Mr. du Vieux Croque-Monsieur Avec Salade Verte. “Don’t U dare condescend 2 ME.”