Password managers less secure than promised
ethz.ch
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
  • CardboardVictim@piefed.socialEnglish
    42·
    3 months ago

    For people interested there were 3 cloud based password managers tested and this is what they found

    The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane.

      • _edge@discuss.tchncs.deEnglish
        23·
        3 months ago

        The method, they use, requires a client-server architecture. Hence, they cannot attack a local keepass file even if you sync it to some cloud.

      • CardboardVictim@piefed.socialEnglish
        15·
        3 months ago

        From what I scanned, there was no reason given on why they only attacked cloud based providers.

        My guess is that these are paid ones and thus have a ‘market share’, easier to attack etc.

        If you attack a ‘keepass’ password the attack vector is more crypto / memory based as far as my limited knowledge goes and not some funky inbetween attack.

        Also, if you attack a cloud base provides, you will most likely have multiple victims per breach / exploit, whilst offline are targeted and thus not so interesting in most cases unless we’re talking about a person of interest

    • stephen01king@piefed.zipEnglish
      3·
      3 months ago

      Unfortunately they don’t explain what the attacks were in the article. Gonna need to find the paper to know.

    • Appoxo@lemmy.dbzer0.comEnglish
      3·
      3 months ago

      What I am wondering myself: Do the different amount of attacks mean the attack surface was greater or had more vulnerabilities or what made them only do 6 on Dashlane vs 12 on Bitwarden?

      Edit:
      In another article it was total identified vulnerabilities.

    • artyom@piefed.socialEnglish
      31·
      3 months ago

      Yes but unfortunately nothing specific about the strength of any particular option.