A research team at the University of York has exposed several severe flaws in nearly half of the password managers it tested. The researchers created a malicious app that was a mockup of a legit Google app and presented it to various password managers to see if they would fall for the lookalike. The spoofed app tricked two of five password managers into presenting the password, and the research also found that some of the password managers did not limit the number of times one can attempt the master PIN or password. This would allow a brute force attack to crack the master password in as little as 2.5 hours.
Alarming as this research may seem, it is still possible to reduce the risk of attacks like these. Password managers are great ways to store unique, complex passwords – but they work best with two factor authentication. If threat actors get their hands on your passwords, they would still need your unique one time password in your authenticator app to be granted full access to the account. Hopefully, this will not put people off password managers, as we still have a long way to go to help people realise their full potential.