Not surprisingly, malware is starting to target password managers more often. What does it mean for password manager users? Should they still use password managers even though they represent a critical single-point-of-failure, where one compromise and every stored password is likely to be compromised?
Yes, and here’s why.
Although password managers have been around for decades, they are only now really starting to pick up steam. The password manager global market value was calculated at $2B in 2022, but expected to be a $6B-$7.8B market in the coming years. Many long-time cybersecurity experts now use and recommend using password managers. They make it easy to create and use strong passwords that are unique for every site (and service, application, etc.).
A password manager stores all your passwords in what is often called a vault. A vault is usually just a regular computer file, but it can be a database file or a few other formats. The file is usually stored on the device where the password manager is installed, but on some password managers, the vault can be located somewhere else (e.g., removable media, etc.). Stored passwords may be replicated to other non-local storage areas, such as at the vendor’s site or a cloud storage. No matter how a password manager stores the passwords, they are all accessible from the program.
If a password manager gets compromised, then an attacker has the ability to access all the stored passwords all at once, instead of perhaps only learning one or a few passwords right away (using observation or keylogging trojans) as the user types them in. Password managers have always been hotly debated between practitioners over whether they are worth the risk. Are the big risks they offset (e.g., weak and reused passwords) worth the potentially catastrophic single-point-of-failure risk?
It has been widely anticipated by cybersecurity experts that as password managers become more popular, hackers and the malware creations they create, would more often target password managers. It is no surprise. Hackers always target what becomes more popular. This appears to be happening in a significant way right now. Mark early 2023 as the year when more password managers started to be targeted much more often.
Malware Targeting Password Managers
Malware targeting password managers is nothing new. In 2014, the Citadel trojan, which was estimated to have exploited one in every 500 PCs worldwide, keylogged password manager master passwords as users typed them in to open their password managers.
So even nearly a decade ago, a whole lot of PCs had password manager-targeting malware, but only 1% of users employed password managers back then. And even then, the malware did not automatically steal all the passwords stored in the targeted password manager. The malware simply stole the master password to the password manager, which the hacker could then use later on if they wanted to.
But the rising popularity of password managers started in 2022 and is changing the default nature of password stealing trojans, causing them to evolve. We are seeing more password stealing trojans directly targeting password managers and it is popular enough to even show up in Google ads. In a series of 2023 attacks, malicious Google ads tried to social engineer Bitwarden password manager users into revealing their master passwords on fake websites. Other malicious ads targeted 1Password users by using the same social engineering trick.
But that is simply traditional password social engineering, which has been going on since the beginning of the Internet. The more interesting malware programs are trojans which target the locally installed password manager software itself. Malware that targeted password manager software directly started first by only targeting one or a few popular password managers.
For example, Arkei Infostealer targeted only a single password manager, Treznor (along with some MFA options). Racoon Stealer (available since 2019) was recently updated to target two password managers: Bitwarden and 1Password.
But increasingly, first starting in 2022 and accelerating more in 2023, malware is more directly targeting far more password managers. For example, the Stealc information stealing trojan is targeting 13 different password managers:
- Zoho Vault
Not to be outdone, the Luca Stealer trojan looks for 17 different password managers:
- EOS Auth
- Zoho Vault
Still, these password manager-targeting trojans are not getting all of your stored passwords all at once. All of these password manager-targeting trojans work by eavesdropping on the password manager’s browser extension in action, meaning the trojans intercept passwords as they are used by the user who is utilising the password manager. Passwords are stolen one-at-a-time as the user uses them and not all the stored passwords are gone at once. I still have not seen the password manager-targeting trojan that looks for the actual password manager, steals or bypasses its master password, and then exports all the stored passwords at once. But surely, it is coming.
Also, be aware, many malware programs also readily harvest any information copied to an operating system clipboard, such as many password manager users do when copying and pasting passwords from a password manager to a login screen (if the password manager does not have auto-fill capabilities or does not work with a particular login screen).
The key takeaway is that most password-stealing malware targets passwords as users type them in or focus on exporting passwords stored in browsers, and those are still the dominant forms. But there is absolutely an increase in malware that is not only targeting standalone password managers, but also targeting more password managers at once.
The trend of malware that targets password managers will only continue to rise over time, as more and more users start to use them. Expect all the traditional password-stealing malware that used to only key log or steal passwords from browsers to expand into stealing passwords from password managers. All traditional password stealing trojans will have to pick up this functionality or be left behind by the competition.
Should You Still Use a Password Manager?
Yes! The huge risks that password managers mitigate (that of weak and/or shared passwords) far outweigh the risk of a user’s password manager being compromised. Yes, we are seeing more password manager-targeting malware, but the way in which the malware compromises password managers would be equally harmful to the user even if no password manager were used.
Almost all password-stealing trojans, of which there are many, require that the user’s desktop be “locally” compromised, and in most cases, the user’s browser also be compromised. The malware then records passwords as the user uses them. This keylogging functionality is usually identical regardless of whether a password manager is involved or not. The risk of the user’s individual password being stolen as the user uses it is the same whether a password manager is used or not. And if the user is using a password manager, at least they are mitigating the two bigger risks of using a password (i.e., weak and shared passwords).
While it is true that automated password-stealing malware steals passwords, one-at-a-time, as they are used by the user, is it not true that a hacker, in real-time, could compromise the entire password manager and extract all the stored password at once?
Yes. But the number of manual password-stealing hackers is a tiny fraction of what is stolen by automated password trojans every day. And in any case, a hacker or their malware could simply keylog all passwords used by the user over time and get all of them anyway. This is true whether the user is using a password manager or not.
There is an increased risk that a manual hacker could extract all stored passwords all at once over and beyond what automated malware currently does, but again, manual, human adversaries are but a fraction as compared to the automated stuff. And the hacker can only extract the passwords if your password manager is open and unlocked, further mitigating the risk.
Defences Against Password Manager-Targeting Malware
The clear number one answer is do not get socially engineered into installing a password-stealing trojan. Nearly all password stealing trojans get installed by an end user getting tricked into running something they should not have opened or executed. Seventy to ninety percent of all successful hacking happens because of social engineering. Do not get tricked into installing trojan horse programs and the odds of your computer having a password-stealing trojan activated are greatly reduced.
The second most likely way you are to end up with a password-stealing trojan on your computer (and it is a distant second) is due to unpatched software. Make sure you check for and install all critical patches, especially if the vulnerability appears on CISA’s Known Exploited Vulnerability Catalog. This is the list of software and firmware bugs being used by real-world attackers against real-world companies, where high-risk software matters the most. Make sure you patch it.
Next, use phishing-resistant MFA or passwordless options when and where you can. This is not only to protect your password manager (instead of using a master password), but use it on all your most important sites and services. Unfortunately, if you added up all the possible MFA and passwordless authentication solutions all together, they could not be used on over 2% of the world’s websites and services. So, generally, you are going to need to use passwords.
With that said, use a good password manager with a vendor that has a true commitment to security, to create and use strong passwords. You are far more likely to get compromised by using weak or shared passwords (the number three reason why computers are compromised) than because you used a password manager. And if your computer gets compromised by a trojan horse program, whether you do or do not use a password manager is not going to matter. So, use a password manager to mitigate the two biggest risks of using passwords (i.e., weak and/or shared passwords).