Home Appliances

Your Password Isn’t as Safe as You May Think

16 August 2018

Researchers from Aalto University and the University of Helsinki have found that password managers aren’t as safe as people think. The team found that over 10 computer security credentials are vulnerable to insider cyber-attacks. These vulnerabilities were found in security managers that are used every day by millions of people to store their private login information. There were also vulnerabilities found in other apps that run on Windows, macOS and Linux.

Personal computers are vulnerable to internal hacks.Personal computers are vulnerable to internal hacks.

The average password manager has two parts. The first part is the password vault where the passwords are stored. The second part is an extension that is linked to the internet browsers. Password managers are run as separate processes but on one computer. These processes use inter-process communication (IPC) to exchange the data, which remains on one computer.

IPC typically is thought of as a safe process because it protects from outside attacks. But it doesn’t protect from internal attacks and other processes that are run within the same computer. Malicious processes could be started and then the user could access data in the same IPC communications channel.

"Many security-critical applications, including several password managers, do not properly protect the IPC channel. This means that other users' processes running on a shared computer may access the communication channel and potentially steal users' credentials," explains Thanh Bui, a doctoral candidate at Aalto University.

While one computer might be assumed to be a personal, safe computer, every computer could have multiple users. In large companies normally more than one person uses a computer. Large companies use a centralized identity within an access management system so employees can log into any computer in the company and have all of their saved information available on that computer. While this is very convenient to, it also leaves computers vulnerable to an internal attack by any user.

"The number of vulnerable applications shows that software developers often overlook the security problems related to inter-process communication. Developers may not understand the security properties of different IPC methods, or they place too much trust in software and applications that run locally. Both explanations are worrisome," says Markku Antikainen, a post-doctoral researcher at the University of Helsinki.

The paper on this research is available at the Usenix Conference website.

To contact the author of this article, email engineering360editors@globalspec.com


Powered by CR4, the Engineering Community

Discussion – 0 comments

By posting a comment you confirm that you have read and accept our Posting Rules and Terms of Use.
Engineering Newsletter Signup
Get the Engineering360
Stay up to date on:
Features the top stories, latest news, charts, insights and more on the end-to-end electronics value chain.
Advertisement
Weekly Newsletter
Get news, research, and analysis
on the Electronics industry in your
inbox every week - for FREE
Sign up for our FREE eNewsletter
Advertisement