Technology

82460 readers

2897 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

252

You probably can't trust your password manager if it's compromised (www.theregister.com)

submitted 2 weeks ago by floofloof@lemmy.ca to c/technology@lemmy.world

105 comments fedilink hide all child comments

cross-posted from: https://infosec.pub/post/42164102

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

you are viewing a single comment's thread
view the rest of the comments

[–] Auster@thebrainbin.org 349 points 2 weeks ago (4 children)

You probably can't trust anything if it's compromised

[–] floofloof@lemmy.ca 71 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

Well the specific point here is that these companies claim that a server hack won't reveal your passwords since they're encrypted and decrypted on your local device so the server only sees the encrypted version. Apparently this isn't completely true.

[–] philpo@feddit.org 15 points 2 weeks ago

At the point someone pulls off a valid MIM attack - which is basically a requirement here unless the whole BW/Vaultwarden server gets compromised- that is the least of someones problems. MIMs are incredibily hard these days.

[–] Auli@lemmy.ca 2 points 2 weeks ago (1 children)

Well if you decrypt the blob on the server they can see it.

[–] Telorand@reddthat.com 5 points 2 weeks ago

There's something nice about the phrase "decrypt the blob."

[–] tal@lemmy.today 45 points 2 weeks ago (1 children)

Yeah, the title there really doesn't reflect the article text. It should be "you probably can't trust your password manager if the remote servers it uses are compromised".

[–] hummingbird@lemmy.world 4 points 2 weeks ago

That would be an understatement since all services claim your data is safe even in that case which is not true.

[–] Pratai@piefed.ca 24 points 2 weeks ago (1 children)

Are you trying to say the front fell off?

[–] wreckedcarzz@lemmy.world 13 points 2 weeks ago (1 children)

That's not very typical

[–] sunbeam60@feddit.uk 8 points 2 weeks ago (1 children)

It wasn’t designed for the front to fall off, that’s for sure!

[–] QuadratureSurfer@piefed.social 3 points 2 weeks ago (1 children)

Well, what sort of standards are these tools built to?

[–] sunbeam60@feddit.uk 3 points 2 weeks ago

For the front to stay on!

[–] unhrpetby@sh.itjust.works 14 points 2 weeks ago (1 children)

Bitwarden is a zero-knowledge encryption password manager. This means that Bitwarden as a company cannot see your passwords. They remain encrypted end-to-end with your individual email and Master Password. Bitwarden never stores and cannot access your Master Password.

[–] unexposedhazard@discuss.tchncs.de 3 points 2 weeks ago* (last edited 2 weeks ago)

And if the client software itself is compromised then all that is meaningless.