Password managers less secure than promised
ethz.ch
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
  • CardboardVictim@piefed.socialEnglish
    0·
    6 days ago

    For people interested there were 3 cloud based password managers tested and this is what they found

    The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane.

    • Appoxo@lemmy.dbzer0.comEnglish
      1·
      5 days ago

      What I am wondering myself: Do the different amount of attacks mean the attack surface was greater or had more vulnerabilities or what made them only do 6 on Dashlane vs 12 on Bitwarden?

      Edit:
      In another article it was total identified vulnerabilities.

      • CardboardVictim@piefed.socialEnglish
        1·
        6 days ago

        From what I scanned, there was no reason given on why they only attacked cloud based providers.

        My guess is that these are paid ones and thus have a ‘market share’, easier to attack etc.

        If you attack a ‘keepass’ password the attack vector is more crypto / memory based as far as my limited knowledge goes and not some funky inbetween attack.

        Also, if you attack a cloud base provides, you will most likely have multiple victims per breach / exploit, whilst offline are targeted and thus not so interesting in most cases unless we’re talking about a person of interest

        • U7826391786239@lemmy.zipEnglish
          1·
          6 days ago

          they ran the test on those pw managers because they were open source. that allowed the testers to implement a “dummy” provider on their own “compromised server.” so the results of failing the tests are based on the hypothetical situation of “what if bitwarden (or whoever) had an entire server taken over by hackers”. while the chances of that happening are greater than zero, it would take a lot for someone to completely hijack a server like that

          edit to add-- these tests are one of the reasons these pw managers choose to be open source: to allow 3rd party tests like this to find vulnerabilities, so they can be fixed

          nothing is 100% guaranteed safe, but if you don’t want to remember or write down dozens or hundreds of unique strong passwords, i still would recommend a pw manager