GENEVA: Keeping track of password requirements such as a mix of upper and lower case letters, numbers, special characters and more – not only to be remembered but to be changed every few months – is a tall order, not least as platforms urge users to ensure each password is unique.

This headache has opened the door to password manager services promising users secure cloud-based storage for their many login credentials behind one password-protected gateway, usually an encrypted "vault."

But now these password managers have been found to be "less secure than promised," according to the Federal Institute of Technology (ETH) Zurich, where researchers worked with colleagues from Università della Svizzera italiana in Lugano to test three popular platforms.

The team found "serious security vulnerabilities" that meant they were "able to view and even make changes to stored passwords."

Some of the systems appeared to rely on 1990s-era cryptography, potentially making them easy prey for hackers using up-to-date software.

"Such attacks do not require particularly powerful computers or servers – just small programs capable of impersonating the server," said ETH’s Matteo Scarlata.

"Due to the large amount of sensitive data they contain, password managers are likely targets for experienced hackers who are capable of penetrating the servers and launching attacks from there," said Kenneth Paterson, professor of computer science at ETH Zurich.

The researchers said they contacted the providers to give them 90 days to fix the newly discovered vulnerabilities before publishing their findings.

Some of the platforms appeared hesitant about updating their protections for fear they could cut their customers  – which include thousands of companies as well as individuals – off from their passwords amid such revamps.

"For the most part, the providers were cooperative and appreciative, but not all were as quick when it came to fixing the security vulnerabilities," said Paterson. – dpa