• Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
  • Appoxo@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    5 months ago

    “We want our work to help bring about change in this industry,” says Paterson. “The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer.”

    Great.
    Now which password vault was the most cooperative and clear in their security communication and which one wasnt?
    The author said that they have given the providers time to fix the issues. Now highlight the ones that did it the best… >_>

    • olympicyes@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      They did gove some advice. They said to go with a vendor that is transparent about problems and reveals the results of their third party security audits. I’m sure if you read between the lines it means they likely reviewed several vendors and chose to spend their time attacking ones that are opaque about their security stance and used outdated encryption or bad implementations of E2E encryption. So all three are likely suspect. Like if 1Password were developed similarly to LastPass wouldn’t they have spent time attacking it?

      Edit: https://support.1password.com/security-assessments/

      1Password are posting the results of their external pen testing now.

      • Appoxo@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        Bitwarden did so too.

        But IMO your assumption is a bit of interpreting bad/malicious faith into it.
        I see it more like they are the more publicly known brands/services that do this and underwent the audit.
        I have read the TLDR by the authors (linked a few times in the comments) and the answer by bitwarden.
        Bitwarden said the, fixed the issue, are in the progress of doing it or are accepting it as “this is intended/a trade-off”.
        What is a bit sad is that they had more vulnerabilities than other vendors. But I trust them more as they are mostly OSS.

      • youmaynotknow@lemmy.zip
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        About 1password publishing their pentesting results. Why put it behind a ‘give me your email address’ wall?

        That alone is enough for me to instantly disregard them as an option.

  • unexposedhazard@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    OMFG can people please fucking go away with this stupid “password managers are worthless” bullshit today. They are exactly as secure as promised, unless you went to the obviously shady ones that use web interfaces. People have been saying this for years, if you want security, keep your password manager offline.

          • unexposedhazard@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            There is no way to patch the inherent flaw that comes with delivering client software through a web browser. If the entire client is delivered as a web page from a server you dont control, then that server can modify the software however it pleases. Same applies to e2ee encrypted chat clients that run as a web page like element-web (browser based matrix client).

            • Victor@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              This feels a bit extreme though. Can you even trust anything online at that point? Do you also never leave your home carrying your wallet in case someone might rob you?

              • unexposedhazard@discuss.tchncs.de
                link
                fedilink
                English
                arrow-up
                0
                ·
                5 months ago

                Bro i have my bank details, all my private 2FA, work 2FA, health insurance access, my families master passwords, steam access, and more in there. Its literally the most important piece of software that can exist in this day and age. No im not taking chances with that. The only thing you can do with my physical wallet if you rob me is buy something up to 20€ beyond which you need the cards pin. Everything else i can just deactivate by calling the relevant parties.

                But on another note, websites have never really been resistant to MITM attacks. So you dont just have to trust the hoster but also everything in between you and them.

                • Victor@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  5 months ago

                  I assume you follow proper backup protocol it you are using offline password management.

                  How do you sync though? You keep one copy on your phone or something, I imagine? What apps and managers are you using?

            • DeckPacker@lemmy.world
              link
              fedilink
              English
              arrow-up
              0
              ·
              5 months ago

              This comment shows that you know less about computers, than you may think. You can definetly make end to end encryption work using a Website. JavaScript runs client side. So as long as you trust the encryption algorithm (which in elements case you definetly can, because it is OSS), the encryption is safe and your unencrypted data never leaves the device.

              • Bradley Nelson@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                5 months ago

                The point is you are trusting the JavaScript that the server delivered to you. If the server is compromised, it hands you compromised JavaScript and you’re screwed. It’s the exact same thing as going to evil.com and entering your master password. I think that you inherently understand that evil.com is untrusted. However, if passwordmanager.com is compromised by the same people who own evil.com. there’s really no difference.

                • DeckPacker@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  0
                  ·
                  5 months ago

                  I understand, but wouldn’t the same problem occur, if the server for the website you download your software from or the server for your package manager would be compromised? Even if you would buy your software physically on a CD, there would be a chance someone has messed with the content on a CD.

                  So I don’t really see this as a flaw unique to browsers. Am I wrong?

  • OnfireNFS@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    Would having a synced Keepass database with a composite key protect against this?

    When I made my database I created a composite key file that never goes online. I locally copy it to any device that needs to access the database. The idea was even if the password got compromised you can’t access the database without the key file

      • Echo Dot@feddit.uk
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        What if there’s a nuclear war end the house gets vaporized?

        To protect against this scenario I have this small portable computer that I keep in my pocket. They’re quite popular these days.

  • exu@feditown.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    Interesting paper and I agree with the researchers to consider full server compromise in scope for online password managers. Maybe I missed it, but I’d have liked a section on the response by vendors. Mistakes happen, but the response and actions taken are very important for (continued) trust in a vendor.

  • myfunnyaccountname@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    With pretty much every major company being hacked at some point, credit card companies being hacked, everyone selling our details and data, doge and palantir. Feels like post it notes under the keyboard isn’t that bad of an idea.

    • bitflip@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Really depends on your threat model whether this is a good idea. If cops raiding your home is part of it, a physical book might not be your best bet.

      • Echo Dot@feddit.uk
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        If you’re at the point where that’s a possibility that you need to defend against then you probably already have better security than using a password manager.

  • MonkderVierte@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    5 months ago

    My password manager: a flat list and a little 3-liner gpg script. Has ctrl-f search feature built-in.

  • scarabic@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    Many providers promise absolute security

    This struck me as wrong, because that would be a technically impossible and liability-inviting thing to promise.

    And after checking the homepages of the 3 services they tested, yep, none of them promise “absolute security.”

  • eatsnutellawivaspoon@feddit.uk
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    I use one of the password managers mentioned in the article, purely for the convenience of apps on all my devices, syncing and complex individual passwords. Should I be looking to move to self hosting something instead? Would my host (likely a synology Nas or raspberry pi) not then have the same risks?

    • cmhe@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Security through layers. The flaws found here are about compromised server, so hosting your own server is a good first step. Next step is making the server only accessible via your own VPN. And of course hardening the server.

    • cevn@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      I self host via vault warden. And I have it locked behind tailscale vpn. Aside from your server itself getting hacked, which is a risk, this is more secure than having passwords on the public internet.

        • cevn@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          5 months ago

          Love the raspis, just make sure the passwords are not stored on the sd card because those fail all the time hah.

    • iglou@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      I believe Proton Pass does not have the design flaws shown in the article. For instance, if you lose your password, you lose your data. Your data is encrypted and decrypted on your device.

      • cmhe@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        This is what all the listed password manager claim.

        What was done here was tricking the client through the server to do things. So the fixes went into the client application.

  • CardboardVictim@piefed.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 months ago

    For people interested there were 3 cloud based password managers tested and this is what they found

    The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane.

      • _edge@discuss.tchncs.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        The method, they use, requires a client-server architecture. Hence, they cannot attack a local keepass file even if you sync it to some cloud.

      • CardboardVictim@piefed.social
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        From what I scanned, there was no reason given on why they only attacked cloud based providers.

        My guess is that these are paid ones and thus have a ‘market share’, easier to attack etc.

        If you attack a ‘keepass’ password the attack vector is more crypto / memory based as far as my limited knowledge goes and not some funky inbetween attack.

        Also, if you attack a cloud base provides, you will most likely have multiple victims per breach / exploit, whilst offline are targeted and thus not so interesting in most cases unless we’re talking about a person of interest

        • U7826391786239@lemmy.zipdeleted by creator
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          5 months ago

          they ran the test on those pw managers because they were open source. that allowed the testers to implement a “dummy” provider on their own “compromised server.” so the results of failing the tests are based on the hypothetical situation of “what if bitwarden (or whoever) had an entire server taken over by hackers”. while the chances of that happening are greater than zero, it would take a lot for someone to completely hijack a server like that

          edit to add-- these tests are one of the reasons these pw managers choose to be open source: to allow 3rd party tests like this to find vulnerabilities, so they can be fixed

          nothing is 100% guaranteed safe, but if you don’t want to remember or write down dozens or hundreds of unique strong passwords, i still would recommend a pw manager

          • sexy_peach@feddit.org
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 months ago

            Oh okay so they probably delivered malicious code to the user entering their passwords… Well even an offline pw manager can be compromised in the code.

    • Appoxo@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      5 months ago

      What I am wondering myself: Do the different amount of attacks mean the attack surface was greater or had more vulnerabilities or what made them only do 6 on Dashlane vs 12 on Bitwarden?

      Edit:
      In another article it was total identified vulnerabilities.

    • stephen01king@piefed.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Unfortunately they don’t explain what the attacks were in the article. Gonna need to find the paper to know.

      • sztosz@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 months ago

        I use an offline password manager, and sync an encrypted database with nextcloud. It’s convenient enough, and secure enough for me. Easy to sync between my phone, desktop, and laptop. And I only need to remember two passwords, the nextcloud one, and the manager one. I don’t think you can have it more secure and convenient all the same, at least not with current tech.

    • RemADeus@thelemmy.club
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Many will argue that they need the convenience of an online password manager not knowing that what you stated is the safest form

    • helpImTrappedOnline@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Yes, let’s blame the victim and not the data hording mega corps that advertise their crap to collect more data, make big promises, hide the better options, and actively undermine open source in every way they can.

      I’m pretty sure the average person hears “open source” and think “oh that’s insecure software made by hackers, I need to only use software from trusted sources”. Using only trusted software is still a good idea, but unfortunately the trusted sources of 2002 have betrayed us.