Many people use password managers because most users have between 100 and 200 passwords and cannot remember them all. Cloud-based managers let users reach their passwords from different devices and share them with family members. Security is critical because these services store sensitive data, including online banking and credit card logins, in encrypted vaults.
Researchers from the Applied Cryptography Group at ETH Zurich studied three popular cloud-based password managers. They set up servers that acted like hacked servers and tested a malicious server threat model. The team demonstrated several attacks that could let an attacker see or change users' passwords. The attacks often used simple actions users normally perform, such as logging in, opening the vault, viewing passwords, or synchronising data.
The researchers followed responsible disclosure and contacted providers before publishing, and they gave the companies 90 days to fix the vulnerabilities. Recommendations include updating systems, offering migration choices for existing customers, and being transparent. Users should prefer managers that undergo external audits and have end-to-end encryption enabled by default.
Difficult words
- password manager — A tool that stores many login details.password managers
- cloud-based — A service that runs on internet servers.
- encrypt — To change data so others cannot read.encrypted
- vault — A secure place to keep digital passwords.vaults
- vulnerability — A weakness that attackers could use.vulnerabilities
- synchronise — To make the same data on different devices.synchronising
Tip: hover, focus or tap highlighted words in the article to see quick definitions while you read or listen.
Discussion questions
- Do you use a password manager? Why or why not?
- What would make you trust a cloud-based password manager?
- How many passwords do you have, and how do you remember them?
Related articles
AI expands sexual and reproductive health access in Latin America
Research groups in Peru and Argentina use AI tools to give sexual and reproductive health information to young and marginalised people. Experts praise potential but warn of bias and call for better data, rules and oversight.
AI tool helps local autism diagnosis in Missouri
Researchers at the University of Missouri tested the FDA-approved CanvasDx, an AI device, to help primary care evaluate autism where specialty centres are far away. In a study it gave determinate results for 52% of 80 children and matched clinicians' diagnoses.
