Tag

Password Managers

All articles tagged with #password managers

technology2 days ago•10 min saved

Security researchers find critical flaws in mainstream password managers

An ETH Zurich team tested Bitwarden, LastPass, and Dashlane under a malicious-server threat model and demonstrated 12, 7, and 6 attacks respectively, showing that passwords could be accessed or altered and that end-to-end, zero-knowledge encryption promises may not hold. They found the attacks often only required routine user actions like logging in or syncing. The researchers propose updating cryptographic standards for new customers, providing migration paths for existing users, and increasing transparency via external audits, noting that many providers still rely on outdated crypto. Consumers should favor password managers that disclose vulnerabilities, are audited, and enable end-to-end encryption by default.

via futurity.org|

#cybersecurity #encryption #eth-zurich

security10 days ago•17 min saved

Zero-knowledge claims tested: researchers reveal multiple flaws in top password managers

Researchers from ETH Zurich and USI Lugano analyzed Bitwarden, Dashlane, and LastPass and uncovered multiple attack vectors that can enable a compromised or malicious server to read or even modify vaults, especially when account-recovery, group enrollment, key escrow, or backward-compatibility features are enabled. Some attacks could allow theft of entire vaults or selective item data, and even breach older encryption configurations. While vendors defend their security audits and ongoing patching, the study argues that the term “zero-knowledge” can be misleading and urges stronger threat models and resilience measures across password managers.

via Ars Technica|

#account-recovery #encryption #password-managers

security11 days ago•4 min saved

Researchers expose 25 recovery attacks against leading cloud password managers

A joint ETH Zurich/USI study identifies 25 distinct password-recovery/related attacks across major cloud password managers (Bitwarden, Dashlane, LastPass; with 1Password also noted for some flaws). Attacks span four categories: exploiting key escrow in account recovery, weaknesses in item-level encryption and metadata, vulnerabilities in sharing features, and downgrades due to legacy code. In total, 12 attacks hit Bitwarden, 7 LastPass, and 6 Dashlane; 1Password was linked to item-level and sharing flaws as known limitations. Vendors have issued patches or mitigations (e.g., Dashlane removing legacy crypto, Bitwarden remediation, LastPass hardening, 1Password using SRP), and there’s no evidence these issues have been exploited in the wild.

via The Hacker News|

#cloud-security #cryptography #password-managers

technology5 months ago•5 min saved

Ensuring Loved Ones Can Access Your Online Accounts After You're Gone

The article discusses the importance of planning for digital legacy by using password managers with inheritance features, such as Keeper, LogMeOnce, and NordPass, to ensure loved ones can access online accounts after death. It emphasizes the need for pre-arranged access, secure account management, and proper account shutdown procedures to protect privacy and simplify estate handling.

via PCMag|

#digital-inheritance #online-accounts #password-management

technology5 months ago•3 min saved

Sharing Passwords After Death with a Password Manager (2025)

The article discusses the importance of planning for digital legacy and how password managers with emergency access features, like Proton Pass, can help securely transfer online account access to trusted contacts after death or incapacitation, highlighting legal considerations and best practices.

via WIRED|

#digital-legacy #emergency-access #online-accounts

technology6 months ago•3 min saved

Critical Security Flaws in Password Managers Enable Data Theft

Several top password managers, including 1Password, Bitwarden, and LastPass, have been found vulnerable to a clickjacking flaw that allows hackers to steal login credentials, 2FA codes, and credit card information by overlaying invisible HTML elements, with all tested managers susceptible to at least one attack method. Users are advised to update their software and disable autofill until patches are released.

via Tom's Guide|

#2fa #clickjacking #password-managers

technology6 months ago•4 min saved

Top Password Managers and Tips for Enhanced Digital Security

Due to security vulnerabilities and data leaks, LastPass is no longer recommended; instead, five better password managers are suggested, including Bitwarden, 1Password, Dashlane, Proton Pass, and Enpass, each offering various features, security, and affordability to enhance user safety and convenience.

via Android Authority|

#data-protection #lastpass-alternatives #password-managers

technology8 months ago•67 min saved

Microsoft to Remove Password Storage from Authenticator App Next Month

The article discusses the challenges and concerns surrounding passkeys, including their complex implementation, vendor lock-in issues, limited interoperability, and the potential for increased platform entrenchment, while highlighting that current solutions are often confusing and not yet widely supported across devices and services.

via Hacker News|

#interoperability #passkeys #password-managers

cybersecurity9 months ago•4 min saved

Massive Data Breach Exposes 184 Million User Passwords and Logins

A massive data breach exposed 184 million accounts from major tech companies, risking credential theft and account hacking. Users are advised to change passwords, use a secure password manager like NordPass, and be cautious with browser autofill features to protect their digital security.

via Komando.com|

#breaches #cybercriminals #cybersecurity

technology2 years ago•3 min saved

"Android Password Managers: A Critical Look at the AutoSpill Vulnerability"

AutoSpill is a vulnerability in Android that can leak credentials from popular password managers. It occurs when a credential stored in a password manager is autofilled into a third-party app, exposing the credentials to that app. The affected password managers include Google Smart Lock, Dashlane, 1Password, LastPass, Enpass, Keepass2Android, and Keeper. However, the threat is limited to specific scenarios where the third-party app allows users to log in with different account credentials or when a malicious app exploits WebView content. AutoSpill does not pose a threat when autofilling credentials for accounts managed by the app developer or service.

via Ars Technica|

#android #autospill #password-managers

technology2 years ago•2 min saved

Android Password Managers: A Security Warning

Several popular Android password managers, including 1Password, LastPass, Enpass, Keeper, and Keepass2Android, are leaking user credentials due to a vulnerability in the autofill functionality of Android apps. The flaw, known as AutoSpill, allows credentials shared with WebView to also be shared with the app that requested the username and password. Even if the vulnerability was tested on older devices and software, it serves as a reminder to keep Android OS and installed apps up-to-date for better security.

via ZDNet|

#android #data-leak #password-managers

cybersecurity2 years ago•3 min saved

Android Password Managers Expose User Data in Major Security Breach

Security researchers have discovered a major vulnerability, called AutoSpill, that affects the Android autofill function in popular password managers. The vulnerability allows hackers to bypass security mechanisms and expose credentials to the host app. Password managers such as 1Password, LastPass, Enpass, Keeper, and Keepass2Android are vulnerable to the exploit, along with DashLane and Google Smart Lock when a JavaScript injection method is enabled. While there is no evidence of exploitation in the wild, the researchers warn that the implications of AutoSpill are highly dangerous. The affected password managers and the Android security team have been informed, and fixes are being developed.

via Forbes|

#android #autospill-vulnerability #credentials

technology2 years ago•5 min saved

"Security Alert: Android Password Managers Vulnerable to AutoSpill Attack"

Researchers have discovered a new attack called AutoSpill that can steal account credentials from Android password managers during the autofill process. The attack exploits weaknesses in Android's autofill framework, allowing rogue apps to capture auto-filled credentials without detection. Most password managers on Android are vulnerable to AutoSpill, even without JavaScript injection. The researchers have disclosed their findings to impacted software vendors and Android's security team, but no details about fixing plans have been shared yet. Some password management providers, such as 1Password, LastPass, and Keeper, have acknowledged the issue and are working on fixes. Google recommends that third-party password managers implement best practices to distinguish between native views and WebViews and warns users when entering passwords for domains not owned by the hosting app.

via BleepingComputer|

#android #autospill-attack #cybersecurity

technology2 years ago•2 min saved

Beware: Password Managers May Expose Your Credentials

Researchers have discovered a vulnerability in the WebView autofill mechanism used by many Android apps, which can potentially expose credentials from mobile password managers. The flaw, known as "AutoSpill," allows malicious apps to grab the credentials of unsuspecting Android users and access sensitive information. Popular mobile password managers such as LastPass, 1Password, Enpass, and Keeper were found to be vulnerable to credential leakage. While Google is working on a fix, most companies deferred the problem to Google, except for 1Password, which promised to find its own fix. The researchers suggest that the best solution would be to move away from passwords and adopt passwordless authentication.

via TechSpot|

#android #credentials #password-managers

technology2 years ago•2 min saved

Passkey Support Goes Mainstream with 1Password and WhatsApp

Password manager 1Password has announced the general availability of passkey support, a new login technology that replaces passwords with authentication systems built into a user's own device. Users can now create, manage, and sign in to supported websites with passkeys via 1Password's mobile apps and web browser extensions. The update does not yet include the ability to replace the master password with a passkey, but that feature is expected to arrive later this year. Passkeys work by utilizing the device's authentication methods, such as Face ID or fingerprint sensors, and are built on WebAuthn technology. While passkeys are stored on the device, backup options are available in case of loss or damage. Other password managers and platforms have also added passkey support, but 1Password's Universal Sign On is touted as superior due to its cross-platform compatibility and syncing capabilities.

via The Verge|

#1password #authentication #passkeys