Password managers don’t protect secrets if pwned
www.theregister.com
: Researchers demo weaknesses affecting some of the most popular options

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

  • grue@lemmy.worldEnglish
    221·
    1 day ago

    As usual, the actual best option (keepass in this case) gets no publicity.

      • Pika@sh.itjust.worksEnglish
        13·
        1 day ago

        I personally use syncthing to sync it between my devices and then keepassDX to load the database on the phone.

        You can technically use any file sync service but, I would recommend having some form of retention system(syncthing does this for you) in play in case it does somehow corrupt.

        I’m not sure it’s compatibility on apple products though as I don’t own any.

        • lemmylommy@lemmy.worldEnglish
          4·
          1 day ago

          Keepassium is great on iPhones. You can sync through the files app (iCloud, smb,…) and it also has native connections to Dropbox, owncloud, nextcloud, WebDAV and more.

  • lemmysmash@beehaw.orgEnglish
    13·
    1 day ago

    To be fair, it’s worth noting that the majority (all?) of the flaws were found around organization management, SSO, vault sharing and compatibility features. All of which severely expand the attack surface of any password manager, and hence should be avoided like a plague.

    Also worth noting that the actual whitepaper (also linked in the article) is much better written than the article, and it was an interesting and easily understandable read. Give it a go.

    And thanks for sharing!

  • Artwork@lemmy.worldEnglish
    10·
    1 day ago

    Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before…
    Source

    Oh really?! Tell me about it!

    In addition to KeePass, some may find “Pass” interesting, that is based on GnuPG - https://www.passwordstore.org/

  • favoredponcho@lemmy.zipEnglish
    8·
    1 day ago

    As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product.

    Shit

  • WagnasT@piefed.worldEnglish
    5·
    1 day ago

    I think there is an important distinction that all of the attacks are against the client connection to the compromised server, they’re not able to decrypt the data at rest.
    Hopefully each organization hardens against these discoveries.

  • prostatitis@lemmy.worldEnglish
    3·
    24 hours ago

    Nice article. I’ve been using Keepass for many years but, as someone whose been looking to switch to Linux, this is very intriguing.