The problems with passwords are numerous, both from a security and a usability standpoint. We’ve looked at account takeover and phishing attacks, but here we’ll address the issue from the user’s end. Often, users are faced with having to create dozens of passwords for different accounts, leading to frustration and lost productivity around authentication.
This can have a couple of outcomes. Either the user keeps the same password for multiple sites, which is a major security issue, or they diligently create new passwords for each and every account and promptly forget them. Or both. More than 65% of people reuse passwords across accounts and the majority don’t change them, even after a known breach. Meanwhile, 25% reset their passwords once a month or more because they forgot them. These resets cost businesses time and money and frustrate users.
Password managers have emerged as a solution to having to track all the various passwords across the digital sphere. The passwords are stored in an encrypted vault that can only be accessed by someone with the right credentials. On the surface, having a digital assistant remember your passwords for every one of your accounts may seem like a blessing, but there are multiple problems with password managers.
1. The Master Password
Passwords are the problem password managers are meant to solve, but how do you access a password manager in the first place? Well, that would be by logging in with your “master” password. So, in effect, all of the many passwords you use across the online world are reduced to one single password.
This is easier from a usability perspective, but it creates one of the biggest problems with password managers: the fact that this password can still be compromised. Except now, if your password manager’s master password is compromised, the attacker doesn’t just have access to one targeted account but every single one of your accounts. This was the case when hackers launched a credential stuffing attack using email addresses and passwords obtained from third-party breaches against users of the popular LastPass password manager.
2. Susceptibility to Hacking
Like virtually every other app or website, major bugs or coding flaws can allow attackers to access a password manager and a user’s passwords. In 2019, security flaws were discovered in five of the top password managers where passwords could be exfiltrated from a computer’s memory. A more recent example exploited a specific bug in a password manager itself and used it as a launchpad to attack systems where that application was present.
Common hacking attacks such as man-in-the-middle, stealing session tokens or installing keylogging malware will also allow hackers to compromise access to a password manager. But, again, the problems with password managers are that once an attacker has gained access, their attacks can cover the breadth of your entire online identity.
3. Locked Out Recovery
Among the problems with password managers is that there is no secure authentication beyond a master password to access your account. This creates a few issues, the first being that someone who completely loses their master password and thus access to their email or other recovery accounts will be permanently locked out of their password manager.
The second issue is that the recovery process, such as sending a link to an email account, can easily be used by an attacker who has access to that email account. They can elevate the attack by changing your master password, effectively taking over the account, while also gaining access to your passwords for every other account.
Like attackers use phishing attacks to take identity credentials for any other authentication process, they can do the same for password managers. However, one of the biggest problems with password managers is that, as the attackers know how valuable the data inside (i.e., all your passwords) is, they are likely to focus heavily on phishing your master password. For accounts with two-factor authentication, attackers have developed ways to circumvent these security restrictions as well.
Also, even though password managers should not auto-fill authentication forms on illegitimate phishing sites, they still give the option to choose to input your details as this security researcher details. This negates one of the major supposed benefits of password managers.
5. Insecure Password Usage
Among the problems with password managers is that they may still only manage passwords that were never secure to begin with. While many password managers offer the option to generate secure passwords for websites, research has found that only around 20% of users use Chrome’s secure password generator and about 50% use the generator of their third-party password manager.
This means that the passwords people are using are still susceptible to the usual flaws of human-created passwords (easy to guess dictionary words, too short, not including symbols or numbers, re-used over multiple sites, etc.), but now they are held in a password manager. Any of these accounts using insecure passwords can be breached by credential stuffing, phishing, MitM and other credential attacks.
6. Password Manager Safety
Most password managers claim a “zero-knowledge” system that encrypts passwords before they leave your device. Passwords are stored in their encrypted format (usually AES-256), and the provider has no way to decipher them. This means a breach of the password manager’s servers should not yield usable customer data. However, an attack a few years ago on password manager OneLogin gave hackers access to customers’ data as well as the ability to decrypt it.
Moreover, as with most other attacks that focus on access points, data encryption won’t help a user if the hacker breaks through their authentication protocols. Users will still be completely exposed across all of their accounts, and the problems with password managers remain the same as with any other account authentication procedure.
HYPR: Removing the Threat of Authentication Attacks
Even though they intend to create a safer digital world, the problems with password managers are the same as the problems elsewhere online — they still use passwords for authentication. In fact, they possibly create more issues, as they provide a veneer of safety when passwords are still the single biggest cybersecurity threat.
The solution is to remove passwords altogether. HYPR has done this by creating a passwordless multi-factor authentication (PMFA) platform that leverages public key cryptography and native biometrics on a user’s smartphone to turn their device into a secure FIDO authenticator.
Another of the major problems with password managers and the use of passwords in general is user experience. A poor login experience and frustration causes people to use shortcuts or ignore password best practices. For the enterprise, this introduces risk and wastes the time of IT help desks. HYPR passwordless MFA provides a seamless sign-in experience so that users save time while organizations eliminate authentication risks.