cross-posted from: https://infosec.pub/post/42164102
Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…
Let’s expand that specifically generic headline. "“You probably can’t trust anything if it’s been compromised”. More extra non-news at eleven.
Uhhhh… What even is this headline
Ya think?
🤯
Use keepass… don’t use your phone for important stuff. I never get calls or texts. I have no friends.
EDIT:
I’m not being sarcastic y’all. I legit have no friends. The only texts I get are for deliveries or appointment reminders. Legit nothing else.
And this is why I always thought a password manager is a bad idea.
Centralizing your passwords means there is one really juicy target, that if compromised, ruins everything.
It’s clearly a risk, but if you have dozens of accounts and passwords it’s hard to come up with a feasible alternative.
You probably can’t trust anything if it’s compromised
Well the specific point here is that these companies claim that a server hack won’t reveal your passwords since they’re encrypted and decrypted on your local device so the server only sees the encrypted version. Apparently this isn’t completely true.
Since the summary doesn’t say which three popular password managers:
As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.
Next do proton pass
So I chose the worst pick, eh?
No. Because the very nature of passwords and password managers make you immeasurably safer than not using one at all. Password managers in almost all markets detect password compromises and alert you to change them. Doing so is trivial and as long as you catch it in time, you’re much safer and harder to target than almost any other user.
Passwords are like physical locks. Its not about being unpickable or indestructible. Its mostly about raising the barrier of entry high enough that you are an unappealing target. Why would I spend days/weeks/months trying to crack the account of someone using a random string of 14 characters unique to every service and that can change their password within hours or days–when I could instead gain remote access to hundreds of other users that keep a ‘passwords.doc’ file in ~/documents with open permissions? They likely use passwords like ‘Snoopdog2004$’ so they’re easy to brute force, they won’t notice incursions, and can’t easily change passwords that are shared between multiple services.
No shit?
Additional vendor responses by Bitwarden to put the remediations and threat models into perspective:
Bitwarden. Shit.
These attacks are more around the encryption and all require a fully malicious server. It sounds like Bitwarden is taking these seriously and personally I’d still strongly prefer it to any closed source solution where there could be many more unknown but undiscovered security concerns.
Using a local solution is always most secure, but imo you should first ask yourself if you trust your own security practices and whether you have sufficient hardware redundancy to be actually better. I managed to lose the private key to some Bitcoin about a decade ago due to trying to be clever with encryption and local redundant copies.
Further, with the prevalence of 2FA even if their server was somehow fully compromised as long as you use a different authenticator app than Bitwarden you’re not at major risk anyways. With how poorly the average person manages their password security this hurdle alone is likely enough to stop all but attacks targeted specifically at you as an individual.
I don’t have the self hosting maturity to share my db across my devices yet. I need to get on that.
If it’s critical, don’t self host it. It’s not worth it.
I know people will argue; I just need something that works and that I don’t have to worry about patching.
Thats really disappointing. At least the selfhosted version means it would have to be a heavily targeted attack.
I don’t think it should be disappointing. Bitwarden welcomes third party security testing, especially given it is open source. The tests done were just tests, and the issues were already fixed.
Yeah, after seeing their response I’m quite satisfied. They’re one of the good guys and I hope it stays that way.
JFC this headline. BREAKING NEWS: Healthy people die off an old age.
