By Published on

How Password Managers Are Becoming a Target for Hackers

How Password Managers Are Becoming a Target for Hackers

Research conducted by Picus Security suggests that about 25% of malware now targets password managers or any other way of storing login credentials wherein the so-called memory scraping and registry harvesting are utilized as means of stealing passwords. 

1. Spoofing Attacks


By gaining access to all of your passwords at once and bypassing any sort of cybersecurity protections, password managers are quite tempting for hackers. Once a password manager is breached, attackers can access all of the passwords you have stored in the manager at once, completely bypassing the around-the-clock defense systems meant to protect its users.

Such cybercriminals have always been interested in password managers. In 2014, it was found that Citadel malware had compromised one in 500 PCs, while it keylogged master passwords as users typed them into password managers.

Incidences of attack can actually involve rather simple spoofing attacks, which create fake login pages almost identical to the password manager interface, effectively tricking the user into entering the master password. Alternatively, brute force attacks could be carried out with any number of automated systems which will run a variety of possible combinations until one matches the user-inserted password/ master password for that password manager.

In order to save themselves from such risks, organizations must choose only a reliable cloud-based password manager considering the multi-factor authentication it offers and securely storing data also. Password managers themselves should have a very fine level of access control for their organizations so that employees have access to the minimum permissions needed for their work, keeping in the full scope of encrypted fields, usernames, passwords, and notes. It is also important that the source code of the password manager provider is protected from public view so that as an added measure the business is less vulnerable to attacks against itself. Finally, it would also need to keep a detailed audit trail, holding people accountable on what credentials were accessed by whom and when. 

2. Brute Force Attacks


Password managers have been put on hackers' boards ever since their popularity clawed base in the vertical world. Users turn to password managers to remind them of the complex and unique passwords for different accounts that would place them under phishing attacks and social engineering schemes, while these applications are open to being centers of attack on the hackers' sight.

Hackers can simply brute-force their way into the password manager by guessing the master password. It is an attack that requires little resources and is totally automated. Their ultimate aim is to validate master password into an account by trying out possible combinations of letters, numbers, and symbols until an account is cracked, allowing him to make use of stolen passwords to access other accounts that need that same access. 

Also, this is different from phishing in that it seeks to do password stealing directly from users by observing their behavioral patterns. Further, it is considered faster and cheaper against collection due to its low time-value in accessing as opposed to collecting passwords manually from post-it notes, spreadsheets, note-taking apps, or mobile phones. 

Most organizations are still unwilling to go with whatever password managers due to fears of creating a single point-of-failure by centralizing all the passwords of their companies into one giant ball. But it should be remembered that a secure password manager would only store passwords in encrypted vaults accessed by an authorized master password, thereby ironically protecting against such alleged breaches. 

3. Malware


Password managers are very robust against malware, thus preventing the exit of any passwords from their vaults so that such passwords cannot be reused across accounts. With such immunity against brute-force attacks, password managers also make sure to mark forgery and fake sites so users are warned to exit instantly. 

This does not, however, mean password managers are invincible to hacking in an outright fashion; malware has been developed down the ages to specifically target password managers, Citadel for example in 2014. With one in 500 PCs compromised via "password management trojans," Citadel contaminated its environment like any other malware to steal passwords or credit card data away from their users.

Credential-stuffing attacks are yet another cyberattack type that leverages leaked passwords stemming from data breaches, prior cyberattacks, or dark web marketplaces for gaining access to other online accounts. Cybercriminals use this verified login credentials as leverage against others - an effective strategy given 65% of people reuse the same password across websites and applications.

Further, not only do password managers face potential risks and attacks from hackers or organized crime groups, in the other hand, risks can come through compiler design bugs and vulnerabilities. They can also be severely compromised if some password managers store user data in third-party servers located outside their legal jurisdiction and certification requirements, hence breaking the corporate policy as well as the national regulatory obligations.

4. Credential Stuffing Attacks


Password has by now become one of the most interesting exits from our digital lives to almost each online community, tool, healthcare, banking, etc. But sadly, hackers becoming easy know-how in stealing our login credentials came with a new cyber threat; attack; password managers became the prime targets for such attacks.

Password managers conveniently keep all our passwords and sensitive data in one location; thus hackers have gained a "master key" to all our accounts and services. As clearly shown by the LastPass breach, attackers can easily exploit this vulnerability and gain entry into all your accounts and services at once.