Password managers don’t protect secrets if pwned
www.theregister.com
: Researchers demo weaknesses affecting some of the most popular options

cross-posted from: https://infosec.pub/post/42164102

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

  • ryper@lemmy.caEnglish
    51·
    4 days ago

    Since the summary doesn’t say which three popular password managers:

    As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.

    • Clent@lemmy.dbzer0.comEnglish
      3·
      3 days ago

      And glosses over what it claims are the two that dominate market (combined market share of 55%) which negates their headline, since it’s likely the reader is using one of those two password managers.

      Source

      • myserverisdown@lemmy.worldEnglish
        7·
        3 days ago

        No. Because the very nature of passwords and password managers make you immeasurably safer than not using one at all. Password managers in almost all markets detect password compromises and alert you to change them. Doing so is trivial and as long as you catch it in time, you’re much safer and harder to target than almost any other user.

        Passwords are like physical locks. Its not about being unpickable or indestructible. Its mostly about raising the barrier of entry high enough that you are an unappealing target. Why would I spend days/weeks/months trying to crack the account of someone using a random string of 14 characters unique to every service and that can change their password within hours or days–when I could instead gain remote access to hundreds of other users that keep a ‘passwords.doc’ file in ~/documents with open permissions? They likely use passwords like ‘Snoopdog2004$’ so they’re easy to brute force, they won’t notice incursions, and can’t easily change passwords that are shared between multiple services.

    • AnyOldName3@lemmy.worldEnglish
      5·
      3 days ago

      Password managers are supposed to be designed to resist a situation where they’re compromised, and are only ever supposed to see a mysterious blob of encrypted data without ever having access to any information that would help decrypt it. The headline’s more like M1 Abrams Tanks Vulnerable to Small Arms Fire - it’d be totally expected that most things die when shot with bullets, but the point of a tank is that it doesn’t, so it’s a big deal if it does.

  • BeardededSquidward@lemmy.blahaj.zoneEnglish
    121·
    3 days ago

    I’ll be honest, password managers are like the holy grail of desirable to breech. If you’re using one it will be constantly under attack. It being breeched or vulnerable shouldn’t be a surprise. There isn’t really a secure way to store large amounts of passwords that doesn’t have some vulnerability issues.

  • melsaskca@lemmy.caEnglish
    2·
    2 days ago

    Let’s expand that specifically generic headline. "“You probably can’t trust anything if it’s been compromised”. More extra non-news at eleven.

    • floofloof@lemmy.caOPEnglish
      5·
      3 days ago

      If you don’t have to use your passwords from multiple locations, your hints are intelligible only to you, and you don’t leave the paper anywhere too obvious, this isn’t a bad solution.

  • cley_faye@lemmy.worldEnglish
    4·
    3 days ago

    If the entire supply chain up to the software you’re running to perform actual decryption is compromised, then the decrypted data is vulnerable. I mean, yeah? That’s why we use open-source clients and check builds/use builds from separate source, so that the compromission of one actor does not compromise the whole chain. Server (if any) is managed by one entity and only manage access control + encrypted data, client from separate trusted source manage decryption, and the general safety of your whole system remain your responsibility.

    Security requires a modicum of awareness and implication from the users, always. The only news here is that people apparently never consider supply chain attacks up until now?

    • Petter1@discuss.tchncs.deEnglish
      2·
      4 days ago

      And keepass is perfectly cloud ready by placing the kdbx file into your cloud storage and sync using webDav or similar.

  • chunes@lemmy.worldEnglish
    1·
    3 days ago

    And this is why I always thought a password manager is a bad idea.

    Centralizing your passwords means there is one really juicy target, that if compromised, ruins everything.

    • floofloof@lemmy.caOPEnglish
      3·
      3 days ago

      It’s clearly a risk, but if you have dozens of accounts and passwords it’s hard to come up with a feasible alternative.

      • chunes@lemmy.worldEnglish
        21·
        3 days ago

        my solution is to make variants of my usual password that are so different I end up having to reset my passwords constantly. Lately, I’ve taken to writing my passwords on a piece of paper in my house, which means I can choose more unique ones

  • 「黃家駒 Wong Ka Kui」 | (aka: 鳳凰院 凶真 Hououin Kyouma)@sh.itjust.worksEnglish
    42·
    4 days ago

    Keepass, upload the database file to random free cloud accounts after making changes to the database.

    This is foulproof as long as the end-user device doesn’t get hacked, right?

    Edit: Did I say something wrong? Why downvotes? Database file are encrypted, even if someone gets it, its encrypted and they don’t have your password.

    So its basically safe to upload your database. If you think I’m wrong then explain why I can’t use free cloud accounts to store an encrypted file?

    • midribbon_action@lemmy.blahaj.zoneEnglish
      2·
      3 days ago

      This is terrible advice, even if I assume you are also using a key-file on a removable usb. An attacker can brute force decrypt your db. There is no rate limiting when you literally have the database file, they could replicate it across thousands of servers each with dozens of cores, each core trying a dozen keyphrases per second. That’s assuming a motivated attacker like a government or crypto scammers, but why open yourself to that possibility?

    • oong3Eepa1ae1tahJozoosuu@lemmy.worldEnglish
      1·
      3 days ago

      Why would you do that? Just sync thr database with Syncthing and keep it locally on your devices. I’d never put my pw dB in a publicly available cloud online, even though it’s encrypted.

      • 「黃家駒 Wong Ka Kui」 | (aka: 鳳凰院 凶真 Hououin Kyouma)@sh.itjust.worksEnglish
        2·
        3 days ago

        For backup.

        So all of my hard drives and devices are in the same house, if I was sleeping and and house caught on fire and I couldn’t even get my phone in time (just a worst case example), then I lose all my passwords.

        Cloud is my “offsite backup”. Cuz where else would I put stuff?

        Also: I though you could just safely upload encrypted files to Google Drive, why not a password database? It’s just another encrypted file.

        • oong3Eepa1ae1tahJozoosuu@lemmy.worldEnglish
          2·
          3 days ago

          I see. For this scenario, I have another Syncthing server, which is on 24/7, responsible for offsite backups.

          Ad encrypted files: true, but why expose them to a potential adversary? If there should be a flaw in the encryption (now or future) the other party already has access to the file.

  • darthinvidious@lemmy.worldEnglish
    11·
    3 days ago

    Use keepass… don’t use your phone for important stuff. I never get calls or texts. I have no friends.