π¨ New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised.
-
οΈ Secure cloud password managers
οΈ For more info visit our site: https://www.privacyguides.org/en/passwords/#cloud-based#passwordmanager #security #privacyguides
Secure local password managersοΈ For more info visit our site: https://www.privacyguides.org/en/passwords/#local-storage #passwordmanager #security #privacyguides
-
Dashlane & Bitwarden promptly issued fixes.
LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH ZΓΌrich team."
In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.The best time to switch from LastPass was yesterday; the second best is today.
οΈHere's what we recommend
οΈοΈ Secure cloud password managersοΈ For more info visit our site: https://www.privacyguides.org/en/passwords/#cloud-based#passwordmanager #security #privacyguides
-
New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised. 
οΈ
LastPass, Dashlane & Bitwarden were identified as being affected, this is significant because cloud password managers commonly claim that their user's data would be unaffected if they were compromised. 
#privacy #security #passwordmanager
Password managers donβt protect secrets if pwned
: Researchers demo weaknesses affecting some of the most popular options
(www.theregister.com)
Dashlane & Bitwarden promptly issued fixes. LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH ZΓΌrich team."In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.The best time to switch from LastPass was yesterday; the second best is today.
οΈHere's what we recommend
οΈ -
Dashlane & Bitwarden promptly issued fixes. LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH ZΓΌrich team."In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.
The best time to switch from LastPass was yesterday; the second best is today.
οΈHere's what we recommend
οΈ@privacyguides A better name for LastPass is LostPass
-
Dashlane & Bitwarden promptly issued fixes. LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH ZΓΌrich team."In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.
The best time to switch from LastPass was yesterday; the second best is today.
οΈHere's what we recommend
οΈ@privacyguides This sounds like the kind of thing that cannot just be "fixed". As far as I can tell, *all three were lying* about their servers being dumb storage without access to your secrets. This is a problem of vendor integrity not a technical problem.
-
Dashlane & Bitwarden promptly issued fixes. LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH ZΓΌrich team."In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.
The best time to switch from LastPass was yesterday; the second best is today.
οΈHere's what we recommend
οΈ@privacyguides
Do you have another source for Bitwarden havin fixed the issues? If i am not mistaking, i can't see where they say something explicit about Bitwarden fixing these issues in the linked article. -
@privacyguides This sounds like the kind of thing that cannot just be "fixed". As far as I can tell, *all three were lying* about their servers being dumb storage without access to your secrets. This is a problem of vendor integrity not a technical problem.
@dalias @privacyguides Self-host, some things are better of self hosted. And a password manager is one of them. And better without any internet access, your devices can sync when they are on your local network.
-
@dalias @privacyguides Self-host, some things are better of self hosted. And a password manager is one of them. And better without any internet access, your devices can sync when they are on your local network.
@h0m3 @privacyguides It doesn't even need self-hosting. It just needs the storage backend to be a pure content-agnostic storage backend for opaque encrypted data, not having some control channel interaction that puts the vendor in a privileged position and locks you in to using their cloud infrastructure.
-
@h0m3 @privacyguides It doesn't even need self-hosting. It just needs the storage backend to be a pure content-agnostic storage backend for opaque encrypted data, not having some control channel interaction that puts the vendor in a privileged position and locks you in to using their cloud infrastructure.
@dalias @h0m3 @privacyguides KeePass is the best option if you don't need cloud sync
-
@dalias @h0m3 @privacyguides KeePass is the best option if you don't need cloud sync
@helloclippy @h0m3 @privacyguides Cloud sync is good, but only if it's *your choice* of storage and the storage provider doesn't have backdoor access to the password manager.
-
@helloclippy @h0m3 @privacyguides Cloud sync is good, but only if it's *your choice* of storage and the storage provider doesn't have backdoor access to the password manager.
@dalias @helloclippy @privacyguides Yes. Bitwarden allows you to cloud sync to your instance, even using an alternative server application like vaultwarden. Thats the most important feature for me and i would abandon them if they choose to remove it in the future.
"Its open source but you can only connect to our proprietary servers" is a no-go to me
-
E em0nm4stodon@infosec.exchange shared this topic
