Password managers less secure than promised
ethz.ch
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
  • patatahooligan@lemmy.worldEnglish
    3·
    12 hours ago

    If the password manager server is hacked and compromised, then syncing your passwords with the compromised server will lead to compromised passwords (duh)

    What do you mean “duh”? The password managers claim that the exact opposite is true.

    Most service providers therefore promote their products with the promise of “zero-knowledge encryption”. This means they assure users that their stored passwords are encrypted and even the providers themselves have “zero knowledge” of them and no access to what has been stored. “The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable. We have now shown that this is not the case”, explains Matilda Backendal.

    This would be true for a properly implemented end-to-end encryption scheme.

    • felbane@lemmy.worldEnglish
      1·
      2 hours ago

      “Properly implemented” is doing the heavy lifting in that sentence.

      Four paragraphs down from your quote is this:

      Their attacks ranged from integrity violations affecting specific, targeted user vaults to the complete compromise of all vaults within an organisation using the service. In most cases, the researchers were able to gain access to the passwords – and even make changes to them.

      If E2EE were properly implemented, the above would be impossible.