Password managers don’t protect secrets if pwned
www.theregister.com
: Researchers demo weaknesses affecting some of the most popular options

cross-posted from: https://infosec.pub/post/42164102

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

  • melsaskca@lemmy.caEnglish
    1·
    7 days ago

    Let’s expand that specifically generic headline. "“You probably can’t trust anything if it’s been compromised”. More extra non-news at eleven.

  • ryper@lemmy.caEnglish
    1·
    9 days ago

    Since the summary doesn’t say which three popular password managers:

    As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.

      • myserverisdown@lemmy.worldEnglish
        1·
        8 days ago

        No. Because the very nature of passwords and password managers make you immeasurably safer than not using one at all. Password managers in almost all markets detect password compromises and alert you to change them. Doing so is trivial and as long as you catch it in time, you’re much safer and harder to target than almost any other user.

        Passwords are like physical locks. Its not about being unpickable or indestructible. Its mostly about raising the barrier of entry high enough that you are an unappealing target. Why would I spend days/weeks/months trying to crack the account of someone using a random string of 14 characters unique to every service and that can change their password within hours or days–when I could instead gain remote access to hundreds of other users that keep a ‘passwords.doc’ file in ~/documents with open permissions? They likely use passwords like ‘Snoopdog2004$’ so they’re easy to brute force, they won’t notice incursions, and can’t easily change passwords that are shared between multiple services.

  • darthinvidious@lemmy.worldEnglish
    1·
    3 days ago

    Use keepass… don’t use your phone for important stuff. I never get calls or texts. I have no friends.

    EDIT:

    I’m not being sarcastic y’all. I legit have no friends. The only texts I get are for deliveries or appointment reminders. Legit nothing else.

    • floofloof@lemmy.caOPEnglish
      1·
      9 days ago

      Well the specific point here is that these companies claim that a server hack won’t reveal your passwords since they’re encrypted and decrypted on your local device so the server only sees the encrypted version. Apparently this isn’t completely true.

  • chunes@lemmy.worldEnglish
    0·
    8 days ago

    And this is why I always thought a password manager is a bad idea.

    Centralizing your passwords means there is one really juicy target, that if compromised, ruins everything.

    • floofloof@lemmy.caOPEnglish
      1·
      8 days ago

      It’s clearly a risk, but if you have dozens of accounts and passwords it’s hard to come up with a feasible alternative.