Researchers find major security gaps in password managers
Keystone-SDA
A research team from the Swiss federal technology institute ETH Zurich has uncovered serious security flaws with password management systems.
+ Get the most important news from Switzerland in your inbox
Anyone who regularly uses online services quickly has hundreds of passwords, wrote Samuel Schlaefli for ETH News on Monday. It is difficult to memorise them all. Millions of people therefore rely on the help of a password manager.
All other passwords are stored behind a master password in a so-called vault. This simplifies access to sensitive data, such as bank accounts or online payment methods like credit cards. This makes password managers a likely target for hacker attacks, said Kenneth Paterson, computer science professor at ETH Zurich.
Providers of password managers promise absolute security: the data is so well encrypted that even they have no access to it. Researchers at ETH Zurich have now been able to show that the encrypted data is not unreadable.
“The promise is that even if someone can access the server, this does not pose a security risk for customers,” said Matilda Backendal from the Università della Svizzera italiana in Lugano. “We have now been able to show that this is not true.”
Backendal conducted the study together with Matteo Scarlata, Kenneth Paterson and Giovanni Torrisi from the Applied Cryptography Research Group at the Institute for Information Security at ETH Zurich.
An ultimatum of ninety days
The research team was able to demonstrate attacks on the password managers of three popular providers – Bitwarden, Lastpass and Dashlane – whose services are used by around 60 million people worldwide. “We were surprised at how big the security gaps are,” said Paterson.
The research team gave the providers of the hacked systems 90 days to close the security gaps. The manufacturers had shown themselves to be co-operative, although not all were equally quick to fix the security gaps.
On Monday, researchers presented concrete proposals for better protection of the systems.
Adapted from German by AI/mga
We select the most relevant news for an international audience and use automatic translation tools to translate them into English. A journalist then reviews the translation for clarity and accuracy before publication.
Providing you with automatically translated news gives us the time to write more in-depth articles. The news stories we select have been written and carefully fact-checked by an external editorial team from news agencies such as Bloomberg or Keystone.
If you have any questions about how we work, write to us at english@swissinfo.ch
