Password managers less secure than promised
ethz.ch
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
  • irate944@piefed.socialEnglish
    18·
    5 hours ago

    Copy pasting a comment that I saw on Reddit

    ——

    Link to the original study (with a less sensationalized title):

    https://zkae.io/

    A few important notes:

    • the study is about Bitwarden, LastPass, Dashlane and 1Password. Proton Pass isn’t mentioned.

    • the study presumes that they’re working with a malicious server (read this as compromised server, controlled by an attacker). The attacks they talk about in the article would not work on a normal server. Here’s their quote:

    No need to panic: all of our attacks presume a malicious server. We have no reason to believe that the password manager vendors are currently malicious or compromised, and as long as things stay that way, your passwords are safe. That said, password managers are high-value targets, and breaches do happen.

    • Here’s another quote, about other password managers:

    You can ask your provider the following questions:

    1. ⁠Do you offer end-to-end encryption? What security do you provide in case your server infrastructure were to be compromised?
    1. How do you check that public keys and public-key ciphertexts are authentic?
    1. How do you authenticate security-critical settings, such as the KDF type and the iteration count?
    1. Do you provide integrity guarantees for a user’s vault as a whole? Can a malicious server add items to your vault?

    You can also ask your favourite password manager to commission an audit checking for our attacks in their products.

    • If you still feel unsure/unsafe, then adopt an offline password manager (I highly recommend keepassXC).
    • scala@lemmy.mlEnglish
      6·
      4 hours ago

      Wish they did an assessment on Proton pass. I just started using all proton services and wanted to know how that holds up. My company uses Bitwarden 🙃

    • CardboardVictim@piefed.socialEnglish
      9·
      5 hours ago

      I too recommend KeepassXC, works even on android with KeepassDX. I use syncthing to sync between devices (work, personal and android)

      • folekaule@lemmy.worldEnglish
        1·
        3 hours ago

        I also use KeepassXC, and it’s great. I’m interested in setting up Syncthing between my Android, Linux desktop, and NAS. Do you have any tips or articles/resources that you used to set it up?

        • CardboardVictim@piefed.socialEnglish
          1·
          3 hours ago

          Hmm, I don’t think I’ve optimized it either to be fair. I wanted to use my phone as a ‘bridge in between’ but that means it uses battery since it ‘checks’ whats online.

          In reality my phone is usually on demand and since I work from home, my work device is usually still turned on when I turn on my ‘good computer’ with fun projects.

          One thing that I find useful is the backup / version control settings, I’ve set it up that there is a version control if it overwrites things so that when conflicts happen (eg a sync didn’t happen and I changed both keepass databases) I can quickly ‘merge’ them or sync them up manually.

          I’ve also heard that syncthing isn’t available on android anymore but a fork (that is somewhat vetted, iirc) exist.

          If you can run applications on your NAS & connect to it from anywhere, it could be used as a type of ‘master’ server that keeps everything in sync that is always online.