Password managers don’t protect secrets if pwned
www.theregister.com
: Researchers demo weaknesses affecting some of the most popular options

cross-posted from: https://infosec.pub/post/42164102

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

    • Petter1@discuss.tchncs.deEnglish
      4·
      2 hours ago

      Yess!
      I store the keepass vault on my nextcloud
      On iOS and macOS, I use Strongbox pro (one time purchase), as it integrates beautifully into the apple ecosystem using its APIs.
      On linux and windows free KeepassXC with browser plug-ins
      On Android I use the free keePassDX which, like strongbox, uses the android APIs for passwords

  • just_another_person@lemmy.worldEnglish
    1·
    33 minutes ago

    You take the good, you take the bad, you take them both and there you have The facts of life, the facts of life.

    There’s a time you got to go and show You’re growin’ now you know about The facts of life, the facts of life.

    When the world never seems to be livin up to your dreams And suddenly you’re finding out the facts of life are all about you, you.

    • floofloof@lemmy.caOPEnglish
      31·
      4 hours ago

      Well the specific point here is that these companies claim that a server hack won’t reveal your passwords since they’re encrypted and decrypted on your local device so the server only sees the encrypted version. Apparently this isn’t completely true.

    • tal@lemmy.todayEnglish
      261·
      4 hours ago

      Yeah, the title there really doesn’t reflect the article text. It should be “you probably can’t trust your password manager if the remote servers it uses are compromised”.

    • COASTER1921@lemmy.mlEnglish
      18·
      2 hours ago

      These attacks are more around the encryption and all require a fully malicious server. It sounds like Bitwarden is taking these seriously and personally I’d still strongly prefer it to any closed source solution where there could be many more unknown but undiscovered security concerns.

      Using a local solution is always most secure, but imo you should first ask yourself if you trust your own security practices and whether you have sufficient hardware redundancy to be actually better. I managed to lose the private key to some Bitcoin about a decade ago due to trying to be clever with encryption and local redundant copies.

      Further, with the prevalence of 2FA even if their server was somehow fully compromised as long as you use a different authenticator app than Bitwarden you’re not at major risk anyways. With how poorly the average person manages their password security this hurdle alone is likely enough to stop all but attacks targeted specifically at you as an individual.

    • eodur@piefed.socialEnglish
      4·
      2 hours ago

      Thats really disappointing. At least the selfhosted version means it would have to be a heavily targeted attack.

  • ryper@lemmy.caEnglish
    44·
    3 hours ago

    Since the summary doesn’t say which three popular password managers:

    As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.

  • DigDoug@lemmy.worldEnglish
    91·
    3 hours ago

    I know they’re convenient, but people should really stop using cloud-based password managers and start using local ones. I personally recommend KeepassXC.

    • fonix232@fedia.io
      4·
      2 hours ago

      How do you recommend people sync between devices? What about devices that, for security reasons, do not allow flash drives or any external device to be plugged in?

      • DigDoug@lemmy.worldEnglish
        1·
        1 hour ago

        You could use Github or similar. Your password file itself requires a password, so as long as the passwords are different you aren’t screwed if Github is compromised.

        Either that or you could keep it on your phone and type your password in manually - Keepass lets you generate passphrases which makes typing them a lot easier.

        Or you could store it on your own server and VPN in if you’re allowed to. It’s all pretty flexible.

      • thyristor@lemmy.ptEnglish
        2·
        2 hours ago

        I have my keepass file in a samba share on my raspberry pi running wireguard. But it’s easier just using nextcloud. Anyway, the file is encrypted.

    • Petter1@discuss.tchncs.deEnglish
      2·
      2 hours ago

      And keepass is perfectly cloud ready by placing the kdbx file into your cloud storage and sync using webDav or similar.

  • shortwavesurfer@lemmy.zipEnglish
    81·
    3 hours ago

    I store my passwords on a flash drive with KeepassXC. How about you compromise that server… Oh wait a minute, no server?

  • redbrick@lemmy.worldEnglish
    242·
    3 hours ago

    People really use these apps? I mean…here are all my passwords? …just like that?

    Hell, my kids tutor wanted my bank account to withdraw each month. I said, ‘fuck no…not unless we’re banging each other every night with a prenup!’