Mainstream android password managers have had critical security flaws !!UPDATE THEIR APPS ASAP!!

[tlink]

Source

 

The german based infosec team named Team SIK has released a devestating report which points out big security flaws in mainstream password manager apps for android. Acording to their own site the vendors have updated their apps to mitigate against these exploits.

Quote

Applications vendors advertise their password manager applications as “bank-level” or “military-grade” secure. However, can users be sure that their secrets are actually stored securely? Despite the vendors’ claims, is it nevertheless possible to obtain access to the stored credentials?

 

In order to answer these questions, we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count. The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.

 

We found several implementation flaws resulting in serious security vulnerabilities. Some applications stored the entered master password in plaintext or implemented hard-coded crypto keys in the program code.

They decided which apps to test by choosing the most popular ones based on download count from the google play store.

 

Quote

All of our 26 findings are provided in detail in the following:

!! Update 2017-03-01: All reported vulnerabilities are fixed by the vendors !!

 

MyPasswords (App-Link)

    SIK-2016-019: Read Private Data of My Passwords App
    SIK-2016-020: Master Password Decryption of My Passwords App
    SIK-2016-043: Free Premium Features Unlock for My Passwords

 

Informaticore Password Manager (App-Link)

    SIK-2016-021: Insecure Credential Storage in Mirsoft Password Manager

LastPass Password Manager (App-Link)

    SIK-2016-022: Hardcoded Master Key in LastPass Password Manager
    SIK-2016-023: Privacy, Data leakage in LastPass Browser Search
    SIK-2016-024: Read Private Date (Stored Masterpassword) from LastPass Password Manager

 

Keeper Passwort-Manager (App-Link)

    SIK-2016-025: Keeper Password Manager Security Question Bypass
    SIK-2016-026: Keeper Password Manager Data Injection without Master Password

 

F-Secure KEY Password Manager (App-Link)

    SIK-2016-027: F-Secure KEY Password Manager Insecure Credential Storage

Dashlane Password Manager (App-Link)

    SIK-2016-028: Read Private Data From App Folder in Dashlane Password Manager
    SIK-2016-029: Google Search Information Leakage in Dashlane Password Manager Browser
    SIK-2016-030: Residue Attack Extracting Masterpassword From Dashlane Password Manager
    SIK-2016-031: Subdomain Password Leakage in Internal Dashlane Password Manager Browser

 

Hide Pictures Keep Safe Vault (App-Link)

    SIK-2016-032: Keepsafe Plaintext Password Storage

 

Avast Passwords (App-Link)

    SIK-2016-033: App Password Stealing from Avast Password Manager
    SIK-2016-034: Vendor is still working on it…
    SIK-2016-035: Insecure Default URLs for Popular Sites in Avast Password Manager
    SIK-2016-036: Vendor is still working on it…
    SIK-2016-037: Broken Secure Communication Implementation in Avast Password Manager
    SIK-2016-054: Vendor is still working on it…

 

1Password – Password Manager (App-Link)

    SIK-2016-038: Subdomain Password Leakage in 1Password Internal Browser
    SIK-2016-039: Https downgrade to http URL by default in 1Password Internal Browser
    SIK-2016-040: Titles and URLs Not Encrypted in 1Password Database
    SIK-2016-041: Read Private Data From App Folder in 1Password Manager
    SIK-2016-042: Privacy Issue, Information Leaked to Vendor 1Password Manager

 

this is very worrying to say the least.

[BloodyWaters]

Wow

[Sauron]

Keepass ftw

[goodtofufriday]

This is why i swear that password managers are the most stupid idea ever. 

[TidaLWaveZ]

I'm not into it, too mainstream.

[TidaLWaveZ]

10 minutes ago, goodtofufriday said:

This is why i swear that password managers are the most stupid idea ever. 

Yeah, it's just an easy listing of all of your passwords. If only those crappy non internet connecting password bank deals were more convenient.

[Aleks NE]

24 minutes ago, tlink said:

Source

 

The german based infosec team named Team SIK has released a devestating report which points out big security flaws in mainstream password manager apps for android. Acording to their own site the vendors have updated their apps to mitigate against these exploits.

They decided which apps to test by choosing the most popular ones based on download count from the google play store.

 

this is very worrying to say the least.

 

Why do people use password managers in the first place?

[tlink]

11 minutes ago, goodtofufriday said:

This is why i swear that password managers are the most stupid idea ever. 

The problem is, what is the alternative? Passwords that are easy to remember for humans are easy to crack for computers, that's just the reality of it. I have more than 50 if not 100 different accounts on different websites, not to mention that you should change them every 6 months for banks and government stuff. I cant remember all of those.

[zMeul]

21 minutes ago, goodtofufriday said:

This is why i swear that password managers are the most stupid idea ever. 

keeping them on a phone, yeah .. that's beyond retarded

but in your home, not on a travel laptop - it's convenient

 

the alternative would be to

• have mostly same password to all sites
• to have a notepad in a safe bolted on the floor/wall; too heavy to carry; to complicated to break into

[ashypanda]

damn, good job i use google keep for my passwords.


not really i remember all of them.

[Zodiark1593]

17 minutes ago, <Aleks> said:

Why do people use password managers in the first place?

When you have a large number of accounts with a varying array of passwords, it becomes troublesome to keep track of them all. Unfortunately, the same aspect that yields it's convenience is also a fatal flaw of password managers in that you now have a single point of failure. 

[XenosTech]

12 minutes ago, zMeul said:

keeping them on a phone, yeah .. that's beyond retarded

but in your home, not on a travel laptop - it's convenient

 

the alternative would be to

• have mostly same password to all sites
• to have a notepad in a safe bolted on the floor/wall; too heavy to carry; to complicated to break into

This is one of those times I have to agree with you. I do something similar... All my accounts made in a certain time frame have the same password always but 9/10 times it's mostly games I could careless about but stuff like steam,origin and uplay all have passwords I can't remember.

[mynameisjuan]

21 minutes ago, tlink said:

The problem is, what is the alternative? Passwords that are easy to remember for humans are easy to crack for computers, that's just the reality of it. I have more than 50 if not 100 different accounts on different websites, not to mention that you should change them every 6 months for banks and government stuff. I cant remember all of those.

Random password generator, a pen and paper and a safe.

[dfsdfgfkjsefoiqzemnd]

23 minutes ago, mynameisjuan said:

Random password generator, a pen and paper and a safe.

How about 1 or 2 pages with just usernames (depending on how many sites you have an account on) and several more pages full of randomly generated passwords, printed as regular text as well as barcode. 

 

That way you can use a barcode scanner to enter your randomly generated long passwords and only need to keep a text file that (for example) says :

LTT : u= 1-2-7, p= 3-3-4

YT : u=1-1-4, p= 4-1-2

etc etc, where the numbers stand for page-column-line.

Then if a password is compromised you simply change to another one, grab a pen and draw a line through the barcode on the paper so you know that one can't be used anymore. 

 

As for generating a random password, it's hard to beat GRC's random password generator.

 

 

 

Sure, with a barcode scanner you can't enter the passwords on a phone , so you're going to have to either type them manually or import the ones you need in a text file, copy-paste to your browser and then tell it to remember the password. 

[goodtofufriday]

43 minutes ago, TidaLWaveZ said:

Yeah, it's just an easy listing of all of your passwords. If only those crappy non internet connecting password bank deals were more convenient.

 

32 minutes ago, zMeul said:

keeping them on a phone, yeah .. that's beyond retarded

but in your home, not on a travel laptop - it's convenient

 

the alternative would be to

• have mostly same password to all sites
• to have a notepad in a safe bolted on the floor/wall; too heavy to carry; to complicated to break into

 

I dont disagree with either you. But password managers are just a bandaid to the problem that people use simple passwords. And this also creates a single point of failer for all your accounts. 

Unless you have 32-64 character randomized passwords then a manager is just bad security. 

Convinient sure. 

 

I personally have 7 different 10 character passwords that i occasionally cycle out. 

 

At minimum i think all sites should have password expiry periods. 

[TidaLWaveZ]

5 minutes ago, goodtofufriday said:

 

 

I dont disagree with either you. But password managers are just a bandaid to the problem that people use simple passwords. And this also creates a single point of failer for all your accounts. 

Unless you have 32-64 character randomized passwords then a manager is just bad security. 

Convinient sure. 

 

I personally have 7 different 10 character passwords that i occasionally cycle out. 

 

At minimum i think all sites should have password expiry periods. 

I was agreeing that they are stupid, I didn't really word it well so it sounded like I was defending it's convenience.

 

I meant that it was dangerous to have a list of all your passwords in one place, it makes it easier for an intruder already having a password list compiled for them. Just think when someone finally gets access and remotes into your computer and they see a Password Manager icon... BINGO!

[suicidalfranco]

http://keepass.info

the best tools don't need a flashy page and marketing to prove it's the best.

Runs on everything, no middle man, open source:

[SansVarnic]

Still quite pleased I chose not to use Android.

[samiscool51]

any this is why you should never use password keepers......

[Doobeedoo]

Well, that sucks though.

[Derangel]

11 hours ago, goodtofufriday said:

 

 

I dont disagree with either you. But password managers are just a bandaid to the problem that people use simple passwords. And this also creates a single point of failer for all your accounts. 

Unless you have 32-64 character randomized passwords then a manager is just bad security. 

Convinient sure. 

 

I personally have 7 different 10 character passwords that i occasionally cycle out. 

 

At minimum i think all sites should have password expiry periods. 

And when a site gets cracked and passwords exposed all of a sudden your oh so secure 10 character passwords are exposed. And don't go "I just change them" because sites never admit when they've been cracked within a few days of it happening. Having every single site be a unique password is the only secure way to handle websites. Unfortunately it is literally impossible for the human brain to remember all of those unique passwords. I'm fine with a password manager. No one but me touches my phone, my computer, or my laptop. If someone gets physical access to your devices you're screwed regardless. There is no good solution for managing passwords and every option we pick is insecure in one major way or another. We're trying to find solutions to get around the limitations of our minds and with no truly good solution we pick what works the best for us on an individual basis.

[SCHISCHKA]

12 hours ago, tlink said:

The problem is, what is the alternative? Passwords that are easy to remember for humans are easy to crack for computers, that's just the reality of it. I have more than 50 if not 100 different accounts on different websites, not to mention that you should change them every 6 months for banks and government stuff. I cant remember all of those.

I have an algorithm I can perform in my head so I might down a page number of a book and then scramble the letters on the first paragraph as an example

[Red Hardware]

Hi

I know most of people have a lot of accounts and passwords to remember but I don't know why do they use these apps? ?

They can simply use Google Smart Lock that's built-in to the chrome. 

My Google account , Microsoft account and Samsung account are accounts that I always remember their password, everything else has a super long password and it's saved in Google Smart Lock or I log in by my Google account.  Even if these don't work , I can reset my password with my email so 

 

((Is there a place for these apps ??))

 

[tlink]

1 hour ago, SCHISCHKA said:

I have an algorithm I can perform in my head so I might down a page number of a book and then scramble the letters on the first paragraph as an example

that does sound very smart. until now i have just been using the first letter of words in a sentence, the problem is that its hard to get special characters in there to remember. i bet that as soon as more poeple start using these techniques the password crackers will just add an algorithm to manipulate rainbow tables to give similar outputs.

[SCHISCHKA]

2 minutes ago, tlink said:

that does sound very smart. until now i have just been using the first letter of words in a sentence, the problem is that its hard to get special characters in there to remember. i bet that as soon as more poeple start using these techniques the password crackers will just add an algorithm to manipulate rainbow tables to give similar outputs.

if you do some research on the history of encryption, such as the flag systems used in battles you will get more ideas. You can also use rules from games to generate codes out of ordinary sentences