cybersecurity

5915 readers

14 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

Password managers less secure than promised (ethz.ch)

submitted 3 days ago by cm0002@toast.ooo to c/cybersecurity@infosec.pub

10 comments fedilink hide all child comments

ETH Zurich researchers have discovered major security flaws in three popular cloud-based password managers - Bitwarden, LastPass, and Dashlane - which together serve 60 million users[^1]. The team demonstrated 25 different attacks that could compromise user passwords, including 12 on Bitwarden, 7 on LastPass, and 6 on Dashlane.

The researchers found they could view and modify stored passwords by setting up servers that mimicked compromised password manager servers[^1]. These attacks worked through routine user actions like logging in, viewing passwords, or syncing data. "We were surprised by the severity of the security vulnerabilities," said Professor Kenneth Paterson of ETH Zurich[^1].

The vulnerabilities stem from complex code designed to enhance user-friendliness, such as password recovery and family sharing features. The providers were given 90 days to fix the security issues before publication[^1].

The researchers recommend users choose password managers that:

Are transparent about security vulnerabilities

Undergo external audits

Have end-to-end encryption enabled by default[^1]

[^1]: ETH Zurich - Password managers less secure than promised

top 10 comments

sorted by: hot top controversial new old

[–] ThunderComplex@lemmy.today 6 points 3 days ago

Cloud based password managers are a scam imo. They get total control of your data AND dictate how you can access it (paywalls, ads etc) meanwhile you get dick. On top of that the headline kinda made it sound like real password managers (like keepass) could have been compromised too.

Doesn’t surprise me that cloud based ones are vulnerable. And when they get breached they just write a oopsie apology letter and continue going about their business.

[–] kbal@fedia.io 8 points 3 days ago (1 children)

end-to-end encryption enabled by default

"By default" doesn't even seem good enough. Can you imagine making or using a password manager that isn't end-to-end encrypted? Why on earth would anyone ever do that? Anyway I'll stick with my encrypted text file on a flash drive.

[–] sirblastalot@ttrpg.network 4 points 3 days ago (1 children)

Please tell me you have backups of that flash drive

[–] kbal@fedia.io 6 points 3 days ago

In reality the flash drive mostly exists to be an extra air-gapped backup.

[–] sirblastalot@ttrpg.network 2 points 3 days ago (2 children)

The prospect of putting all my passwords in one big juicy target has always made me nervous. I go to great lengths to just memorize everything, but damn if it doesn't take a toll.

[–] Kissaki@programming.dev 3 points 3 days ago (2 children)

It is impossible for me to remember all my passwords. Maybe I have more accounts than other people. I remember the most important ones, amongst them a very long password manager DB password that is annoying to enter, especially on mobile.

First time I set up keepass I forgot the password. I still have the DB file without access. But the second time, I was more serious and committed to it, and made sure to remember and use the password. 😅

[–] sirblastalot@ttrpg.network 2 points 2 days ago

Yeah to be clear, I do not recommend my method and I don't think it's a good allocation of mental resources. I'm just stubborn :P

[–] jcarax@beehaw.org 1 points 2 days ago* (last edited 2 days ago)

I just don't have my passwords on mobile, easy solution. Though I do have Stratum on there for 2FA.

[–] remedia@piefed.social 7 points 3 days ago (1 children)

I was the same way before, but you have to weigh the pros and cons of having proper, long, randomized, unique passwords for each site against the possibility that your database password might be compromised. I only have my password database locally, on removable drives.

So in order to access it, I have to plug in a USB drive (I have backups) which only happens for as long as I need the database, then I unplug it. I also use a keyfile, which is on separate drives, just in case. If anyone wants to access it, they'll need both the "something I know" (password) and "something I have" (keyfile) which is pretty unlikely.

Not advertising, but I use Keepass.

[–] sirblastalot@ttrpg.network 1 points 3 days ago

FWIW, I use Diceware for password generation; it's good at making memorable yet still random passphrases.