ESET recommends using secure password managers to protect personal data. With the growing number of online accounts, a 2024 study found that users have an average of 168 passwords, making password managers an essential cybersecurity tool. However, their popularity has also turned them into a primary target for cybercriminals.
ESET analyzes six key risks associated with password managers and offers recommendations to mitigate them:
-
Master Password Compromise. If a cybercriminal obtains the master password, which is the key to the entire password vault, they gain full access to the user's accounts. This can occur through brute-force attacks, exploiting software vulnerabilities, or phishing pages designed to trick the user and steal their information.
-
Fake Applications. Cybercriminals distribute fake password manager apps, taking advantage of the tools' popularity. These can appear even in usually safe app stores like Apple's App Store and are designed to steal the master password or install malware that窃取 (steals) information directly from the user's device.
-
Password-Stealing Malware. Threat actors develop specific malware to extract credentials from password managers. For example, ESET's research team detected the InvisibleFerret malware, linked to a North Korean-sponsored campaign (DeceptiveDevelopment), which was capable of leaking data from managers like 1Password and Dashlane, hiding in files downloaded under the pretext of fake job interviews.
-
Exploitation of Vulnerabilities. As software, password managers inevitably contain vulnerabilities. If a cybercriminal discovers and exploits these flaws, they can obtain credentials from the vault.
-
Breaches at the Provider Level. Even password manager providers that invest heavily in security are vulnerable to attacks. ESET recalls the 2022 case with LastPass, where digital thieves compromised an engineer's computer, accessed the development environment, and stole source code and technical documents.
-
Phishing Ads and Scams. Attackers use malicious ads in search engines like Google to direct victims to fake sites. These sites mimic the design of legitimate providers (e.g., 'the1password[.]com' instead of '1password.com') and are designed to steal the user's email address, master password, and secret key.
ESET's Recommendations for Protection:
- Secure Master Password: Use a long, unique, and memorable passphrase composed of four words separated by hyphens to make brute-force attacks more difficult.
- Activate 2FA: Always implement two-factor authentication on important accounts.
- Constant Updates: Keep the password manager software, browsers, and operating systems updated to mitigate the exploitation of vulnerabilities.
- Legitimate Downloads: Download apps only from official stores and verify the reputation of the developer.
- Trusted Provider: Choose password managers from recognized and reliable providers.
- Security Software: Install security software on all devices to mitigate attacks designed for the direct theft of passwords.
Camilo Gutiérrez Amaya, Head of the ESET Latin America Research Laboratory, emphasizes that password managers remain a key part of cybersecurity best practices, but only if additional precautions are taken.
