Password managers less secure than promised
ethz.ch
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
  • iglou@programming.devEnglish
    41·
    11 hours ago

    If the password manager server is hacked and compromised, then syncing your passwords with the compromised server will lead to compromised passwords (duh)

    No, not “duh”. The right way to do this is client-side encryption/decryption. The server then does not at any moment know anything about your passwords.

    • felbane@lemmy.worldEnglish
      1·
      2 hours ago

      This is what Bitwarden claims to do, and yet we have a paper showing that with a compromised server there exists a vulnerability:

      Their attacks ranged from integrity violations affecting specific, targeted user vaults to the complete compromise of all vaults within an organisation using the service. In most cases, the researchers were able to gain access to the passwords – and even make changes to them.

      • iglou@programming.devEnglish
        1·
        1 hour ago

        What they claim to do and what they do is not necessarily the same. If done properly, the server does not need to be trusted.