Password managers don’t protect secrets if pwned
www.theregister.com
: Researchers demo weaknesses affecting some of the most popular options

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

  • nous@programming.devEnglish
    2·
    3 hours ago

    The companies responses are probably more important then the findings.

    Dashlane published a comprehensive response, thanking the researchers, and said the infoseccers’ decision to test using a malicious server model represented “a useful exercise.”

    The vendor also confirmed it had fixed the most serious issue

    Which is what you want to hear. The worst of the issues has been fixed and they look like they want to improve things further.

    Bitwarden, meanwhile, said in a post: “Bitwarden has never been breached and believes third-party security assessments like these are critical to continue providing state of the art security to individuals and organizations.”

    Is less encouraging although not damning. Would be nicer to hear they are hardening things in case of a breach rather than just relying on not being breached. They could still be doing that though.

    A LastPass spokesperson told The Reg: “Our Security team is grateful for the opportunity to engage with ETH Zurich and benefit from their research. While our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zurich team, we take all reported security findings seriously. We have already implemented multiple near‑term hardening measures while also establishing plans to remediate or reinforce the relevant components of our service on a timeline commensurate with the assessed risk.”

    Is just terrible. Basically they don’t think they have a problem and have done nothing more then a token effort to fix the easiest of things. I believe they have been breached before as well which is also a bad sign. They just don’t seem to care about security at all. I would continue to recommend no one use last pass and everyone one switch away from it.

  • osanna@thebrainbin.org
    1·
    6 hours ago

    That is rather concerning :/. I always said I’d never self host a PW manager, because if i lose access to it, I lose access to most parts of my life. But in light of this report, and with the BW servers being such a juicy target, i have taken to self hosting it. they probably won’t notice a standalone server, with just one account on it, versus a server with thousands or millions of users in the BW servers.

    ETA: with an appropriate backup strategy, it should be fine, i think?