COVID-19: Threats are accelerating against home offices. All plans are 50% off, or free for customers in the medical supply chain. Reach out if you need help.

New Threat: Research Highlights Limitations of Password Managers

Password managers can be easily accessed or hacked


Login credentials stored with password managers can be easily accessed or hacked


A research team at the University of York has exposed severe flaws in nearly half of the password managers it tested. The researchers created a malicious app mimicking a legitimate Google app and presented it to various password managers to see if they would fall for the lookalike and present the user’s password. The app managed to trick 40% of the password managers into presenting the password.




The weak links in password managers are the security of the master password which controls access to all of the passwords stored in the manager, and the password manager’s ability to detect whether or not an application was a legitimate one to display a password for.  

If there is no limit to the number of attempts allowed on the master password, then hackers can use software to brute force your password.  One of the advantages of a password manager is its ease and intuitive use, but it may be forgiving and accept attempts of illegitimate websites that resemble legitimate ones seeking access to passwords. 


As the number of applications users interact with continue to grow, and the need for stronger password security increasingly evident, users are turning to password managers to maintain their login credentials across applications.  At the same time, password managers are becoming a larger target for hackers. If a user’s password manager is revealed, hackers have access to the user’s password across applications and accounts, such as financial services, communications, and personal content. 


There is a place for password managers. However, users need to ensure that they include a feature that limits the number of attempts allowed on the main password so that the main password cannot be brute forced in a few hours.  Also, they need to be vigilant that they are downloading legitimate applications and accessing legitimate websites so that the password manager does not present passwords to illegitimate websites and applications. 

Havoc Shield is a Techstars Company

© 2020, Havoc Shield, Inc. All Rights Reserved.