Password managers don’t protect secrets if pwned
www.theregister.com
: Researchers demo weaknesses affecting some of the most popular options

cross-posted from: https://infosec.pub/post/42164102

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

    • floofloof@lemmy.caOPEnglish
      8·
      3 hours ago

      Yes, although it sounds like they haven’t finished fixing some of them:

      All issues have been addressed by Bitwarden. Seven of which have been resolved or are in active remediation by the Bitwarden team. The remaining three issues have been accepted as intentional design decisions necessary for product functionality.

      Edit: There’s more information about the specific threats and remediation steps in the PDF report linked at the end of the Bitwarden blog post:

      https://bitwarden.com/assets/Kki4W785JIPOdFj6EeWB5/1e74e924febb4c6a5ad03eed23b92d23/pwmgr_paper__1_-combinedÂ__1_.pdf

      • AliasAKA@lemmy.worldEnglish
        3·
        39 minutes ago

        Looking through, it seems like for the most part these are very niche and/or require the user to be using SSO or enterprise recovery options and/or try to change and rotate keys or resync often. I think few people using this for personal would be interacting with that attack surface or accepting organizational invites, but it is serious for organizations (probably why they’re trying quickly to address this).

        Honestly I think a server being incognito controlled and undetected in bitwardens fleet while also performing these attacks is, unlikely? Certainly less likely than passwords being stolen from individual site hacks or probably even banks. Like at that point, it would just be easier to do these types of manipulations directly on bank accounts or crypto wallets or email accounts than here, but then again, if you crack a wallet like this you get theoretically all the goodies to those too I suppose, for a possibly short time (assuming the user wasn’t using 2FA that wasn’t email based as well).

        Not to mitigate these issues. They need to fix them, just trying to ascertain how severe and if individual users should have much cause for concern.