People who regularly use online services have between 100 and 200 passwords. Very few can remember every single one. Password managers are therefore extremely helpful, allowing users to access all their passwords with just a single master password.

Most password managers are cloud based. A major advantage this offers users is the ability to access their passwords from different devices and also share them with friends and family members. Security is the most important feature of these password managers since, ultimately, users store sensitive data in these encrypted storage platforms, commonly called “vaults”. This can also include login details for online banking or credit cards. 

Most service providers therefore promote their products with the promise of “zero-knowledge encryption”. This means they assure users that their stored passwords are encrypted and even the providers themselves have “zero knowledge” of them and no access to what has been stored. “The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable. We have now shown that this is not the case”, explains Matilda Backendal.

Backendal conducted the study together with Matteo Scarlata, Kenneth Paterson and Giovanni Torrisi from the Applied Cryptography Group at ETH Zurich. Backendal and Torrisi are currently working at the Università della Svizzera italiana in Lugano. 

Complete access to passwords 

The team conducted a study to scrutinise the security architecture of three popular password manager providers: Bitwarden, Lastpass and Dashlane. Between them, they serve around 60 million users and have a 23 per cent market share. The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane.

To do this, they set up their own servers that behave like a hacked password manager server. They proceeded on the assumption that, following an attack, the servers behave maliciously (malicious server threat model), and when interacting with clients, such as a web browser, they deviate arbitrarily from the expected behaviour.  

Their attacks ranged from integrity violations affecting specific, targeted user vaults to the complete compromise of all vaults within an organisation using the service. In most cases, the researchers were able to gain access to the passwords – and even make changes to them.  

All they needed to achieve this were simple interactions that users or their browsers routinely perform when using the password manager – for example, logging into the account, opening the vault, viewing passwords or synchronising data. “Due to the large amount of sensitive data they contain, password managers are likely targets for experienced hackers who are capable of penetrating the servers and launching attacks from there,” says Paterson, Professor of Computer Science at ETH Zurich. Attacks like this have already occurred in the past. 

Confusing code 

“We were surprised by the severity of the security vulnerabilities,” says Paterson. His team had already discovered similar vulnerabilities in other cloud-based services but had assumed a significantly higher standard of security for password managers due to the critical data they store. “Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before.”  

Matteo Scarlata, PhD student at the Applied Cryptography Group, carried out some of the attacks. As he began to analyse how the various password managers were coded, he quickly came across some very strange code architecture. In his view, these companies are attempting to provide their customers with the most user-friendly service possible, for example offering the ability to recover passwords or share their account with family members.  

“As a result, the code becomes more complex and confusing, and it expands the potential attack surface for hackers,” Scarlata explains. Such attacks do not require particularly powerful computers or servers – just small programs capable of impersonating the server.”  

As is common with “friendly” attacks, Paterson’s team contacted the providers of the systems concerned before publishing their findings. They were given 90 days to fix their security vulnerabilities. “For the most part, the providers were cooperative and appreciative, but not all were as quick when it came to fixing the security vulnerabilities,” says Paterson.  

Discussions with the developers of these password managers showed that they are very hesitant when it comes to system updates, as they worry that their customers could lose access to their passwords and other personal data. Alongside millions of private individuals, this customer base also includes thousands of companies that entrust the providers with all of their password management. It is not difficult to imagine what would happen if they suddenly lost access to their data. Many providers therefore stick to cryptographic technologies from the 90s, even though these have long been obsolete, says Scarlata. 

Update systems with modern cryptography 

The researchers have now made concrete suggestions for how the security of these systems could be improved. Scarlata proposes updating the systems for new customers in line with the latest cryptographic standards. Existing customers could then have the choice of migrating to the new, more secure system and transferring their passwords across, or sticking with the old system – with full knowledge of the existing security vulnerabilities. 

And what can the millions of people who rely on their password manager every day do to make the most of online services? Paterson recommends choosing a password manager that is transparent about potential security vulnerabilities, undergoes external audits and, at the very least, has end-to-end encryption enable by default. 

“We want our work to help bring about change in this industry,” says Paterson. “The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer.”