Password managers don’t protect secrets if pwned
www.theregister.com
: Researchers demo weaknesses affecting some of the most popular options

cross-posted from: https://infosec.pub/post/42164102

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

  • ryper@lemmy.caEnglish
    92·
    6 days ago

    Since the summary doesn’t say which three popular password managers:

    As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.

    • Clent@lemmy.dbzer0.comEnglish
      5·
      6 days ago

      And glosses over what it claims are the two that dominate market (combined market share of 55%) which negates their headline, since it’s likely the reader is using one of those two password managers.

      Source

      • myserverisdown@lemmy.worldEnglish
        9·
        6 days ago

        No. Because the very nature of passwords and password managers make you immeasurably safer than not using one at all. Password managers in almost all markets detect password compromises and alert you to change them. Doing so is trivial and as long as you catch it in time, you’re much safer and harder to target than almost any other user.

        Passwords are like physical locks. Its not about being unpickable or indestructible. Its mostly about raising the barrier of entry high enough that you are an unappealing target. Why would I spend days/weeks/months trying to crack the account of someone using a random string of 14 characters unique to every service and that can change their password within hours or days–when I could instead gain remote access to hundreds of other users that keep a ‘passwords.doc’ file in ~/documents with open permissions? They likely use passwords like ‘Snoopdog2004$’ so they’re easy to brute force, they won’t notice incursions, and can’t easily change passwords that are shared between multiple services.

    • Lena@gregtech.euEnglish
      11·
      6 days ago

      These password managers claim your passwords are secure, even if their servers get compromised, which is what is expected from a security standpoint. But that is apparently not the case.

    • floofloof@lemmy.caOPEnglish
      27·
      6 days ago

      Yes, although it sounds like they haven’t finished fixing some of them:

      All issues have been addressed by Bitwarden. Seven of which have been resolved or are in active remediation by the Bitwarden team. The remaining three issues have been accepted as intentional design decisions necessary for product functionality.

      Edit: There’s more information about the specific threats and remediation steps in the PDF report linked at the end of the Bitwarden blog post:

      https://bitwarden.com/assets/Kki4W785JIPOdFj6EeWB5/1e74e924febb4c6a5ad03eed23b92d23/pwmgr_paper__1_-combinedÂ__1_.pdf

      • AliasAKA@lemmy.worldEnglish
        23·
        6 days ago

        Looking through, it seems like for the most part these are very niche and/or require the user to be using SSO or enterprise recovery options and/or try to change and rotate keys or resync often. I think few people using this for personal would be interacting with that attack surface or accepting organizational invites, but it is serious for organizations (probably why they’re trying quickly to address this).

        Honestly I think a server being incognito controlled and undetected in bitwardens fleet while also performing these attacks is, unlikely? Certainly less likely than passwords being stolen from individual site hacks or probably even banks. Like at that point, it would just be easier to do these types of manipulations directly on bank accounts or crypto wallets or email accounts than here, but then again, if you crack a wallet like this you get theoretically all the goodies to those too I suppose, for a possibly short time (assuming the user wasn’t using 2FA that wasn’t email based as well).

        Not to mitigate these issues. They need to fix them, just trying to ascertain how severe and if individual users should have much cause for concern.

        • ArrowMax@feddit.orgEnglish
          7·
          6 days ago

          Regarding a malicious server acting under Bitwarden’s fleet: As I see it, the most vulnerable target would be an organization’s self-hosted Bitwarden server.

    • COASTER1921@lemmy.mlEnglish
      69·
      6 days ago

      These attacks are more around the encryption and all require a fully malicious server. It sounds like Bitwarden is taking these seriously and personally I’d still strongly prefer it to any closed source solution where there could be many more unknown but undiscovered security concerns.

      Using a local solution is always most secure, but imo you should first ask yourself if you trust your own security practices and whether you have sufficient hardware redundancy to be actually better. I managed to lose the private key to some Bitcoin about a decade ago due to trying to be clever with encryption and local redundant copies.

      Further, with the prevalence of 2FA even if their server was somehow fully compromised as long as you use a different authenticator app than Bitwarden you’re not at major risk anyways. With how poorly the average person manages their password security this hurdle alone is likely enough to stop all but attacks targeted specifically at you as an individual.

        • lobut@lemmy.caEnglish
          1·
          5 days ago

          Yeah I use MFA on anything that matters.

          It means my authenticator is just riddled with items but it is what it is.

      • chocrates@piefed.worldEnglish
        7·
        6 days ago

        I don’t have the self hosting maturity to share my db across my devices yet. I need to get on that.

        • W98BSoD@lemmy.dbzer0.comEnglish
          171·
          6 days ago

          If it’s critical, don’t self host it. It’s not worth it.

          I know people will argue; I just need something that works and that I don’t have to worry about patching.

        • philpo@feddit.orgEnglish
          1·
          6 days ago

          Personal recommendation: Start with a selfhosting support software like Casa, Yuno or (my recommendation) Cloudron. Start hosting the app there with frequent backups and occasionally export into regular Bitwarden as a failsafe.

          And when you are comfortable switch over to properly self hosted Vaultwarden.

    • eodur@piefed.socialEnglish
      9·
      6 days ago

      Thats really disappointing. At least the selfhosted version means it would have to be a heavily targeted attack.

      • Bazoogle@lemmy.worldEnglish
        6·
        6 days ago

        I don’t think it should be disappointing. Bitwarden welcomes third party security testing, especially given it is open source. The tests done were just tests, and the issues were already fixed.

        • eodur@piefed.socialEnglish
          3·
          6 days ago

          Yeah, after seeing their response I’m quite satisfied. They’re one of the good guys and I hope it stays that way.

    • AnyOldName3@lemmy.worldEnglish
      5·
      6 days ago

      Password managers are supposed to be designed to resist a situation where they’re compromised, and are only ever supposed to see a mysterious blob of encrypted data without ever having access to any information that would help decrypt it. The headline’s more like M1 Abrams Tanks Vulnerable to Small Arms Fire - it’d be totally expected that most things die when shot with bullets, but the point of a tank is that it doesn’t, so it’s a big deal if it does.

    • Petter1@discuss.tchncs.deEnglish
      12·
      6 days ago

      Yess!
      I store the keepass vault on my nextcloud
      On iOS and macOS, I use Strongbox pro (one time purchase), as it integrates beautifully into the apple ecosystem using its APIs.
      On linux and windows free KeepassXC with browser plug-ins
      On Android I use the free keePassDX which, like strongbox, uses the android APIs for passwords

      • lightnsfw@reddthat.comEnglish
        7·
        6 days ago

        Same. My password database never touches a server I don’t own and my keyfile is manually copied between my devices and stored separately from the database file.

    • tatterdemalion@programming.devEnglish
      2·
      5 days ago

      Or if you have like $5/mo to spend on a VPS, self-host vaultwarden. It’s compatible with the bitwarden apps and browser plugins.

  • melsaskca@lemmy.caEnglish
    5·
    5 days ago

    Let’s expand that specifically generic headline. "“You probably can’t trust anything if it’s been compromised”. More extra non-news at eleven.

  • BeardededSquidward@lemmy.blahaj.zoneEnglish
    131·
    6 days ago

    I’ll be honest, password managers are like the holy grail of desirable to breech. If you’re using one it will be constantly under attack. It being breeched or vulnerable shouldn’t be a surprise. There isn’t really a secure way to store large amounts of passwords that doesn’t have some vulnerability issues.

    • nieminen@lemmy.worldEnglish
      3·
      6 days ago

      That’s why I liked password store, no servers, just my encrypted password files on my own computer, that I sync over to my other devices.

      Apparently it’s dying soon through, so I need an alternative.

      • vrighter@discuss.tchncs.deEnglish
        7·
        6 days ago

        i use keepassxc for the offline database part, and syncthing to sync it (among other things) between all my devices

      • PodPerson@lemmy.zipEnglish
        2·
        5 days ago

        I was enjoying 1Password until they went completely subscription, so I switched to Strongbox (based on Keepass) and it’s been pretty good. DB stored locally and I use my own tools to sync that vault to my other devices.

    • floofloof@lemmy.caOPEnglish
      6·
      6 days ago

      If you don’t have to use your passwords from multiple locations, your hints are intelligible only to you, and you don’t leave the paper anywhere too obvious, this isn’t a bad solution.

    • fonix232@fedia.io
      12·
      6 days ago

      How do you recommend people sync between devices? What about devices that, for security reasons, do not allow flash drives or any external device to be plugged in?

    • Petter1@discuss.tchncs.deEnglish
      3·
      6 days ago

      And keepass is perfectly cloud ready by placing the kdbx file into your cloud storage and sync using webDav or similar.