Password managers are considered a digital vault for sensitive data. However, researchers at ETH Zurich have now shown that the promised security is not absolute. Even encrypted password managers can be attacked under certain conditions.

Millions of people rely on the services of password managers to protect sensitive data. Manufacturers promise that the stored passwords are securely encrypted. A research team from ETH Zurich has now been able to show that this is not true.

Anyone who regularly uses online services quickly has hundreds of passwords, wrote Samuel Schlaefli for ETH News on Monday. Remembering them all is difficult. Millions of people therefore count on the help of a password manager.

Convenience instead of security

All other passwords are stored behind a master password in a so-called vault. This simplifies access to sensitive data, such as bank accounts or online payment methods like credit cards. This makes password managers a likely target for hacker attacks, said Kenneth Paterson, computer science professor at ETH Zurich.

Providers of password managers promise absolute security: the data is so well encrypted that even they have no access to it. Researchers at ETH Zurich have now been able to show that the encrypted data is not unreadable.

"The promise is that even if someone can access the server, this does not pose a security risk for customers," said Matilda Backendal from the Università della Svizzera italiana in Lugano. "We have now been able to show that this is not true."

Backendal carried out the study together with Matteo Scarlata, Kenneth Paterson and Giovanni Torrisi from the Applied Cryptography Research Group at the Institute for Information Security at ETH Zurich.

An ultimatum of ninety days

The research team was able to demonstrate attacks on the password managers of three popular providers - Bitwarden, Lastpass and Dashlane - whose services are used by around sixty million people worldwide. "We were surprised at how big the security gaps are," said Paterson.

The research team gave the providers of the hacked systems 90 days to close the security gaps. The manufacturers were cooperative, although not all were equally quick to fix the vulnerabilities.

On Monday, the researchers presented concrete proposals for better protection of the systems.