Contrary to what password managers say, a server compromise can mean game over.

slyborg@vmst.io

So… “your data is safe even if the server is breached” and also “nothing can prevent data compromise if an attacker controls the server”. Subtle difference, I guess - maybe your vault is uncrackable if the data leaks/is stolen, but the actual worst case threat model is where an attacker has backdoored your infrastructure. (2/3)

slyborg@vmst.io

@dangoodin https://1passwordstatic.com/files/security/1password-white-paper.pdf

"At present there’s no practical method for a user to verify the public key they’re encrypting data to belongs to their intended recipient. As a consequence it would be possible for a malicious or compromised 1Password server to provide dishonest public keys to the user, and run a successful attack. Under such an attack, it would be possible for the 1Password server to acquire vault encryption keys with little ability for users to detect or prevent it.” (1/3)

x41h@infosec.exchange

@Iveyline @dangoodin only useful if you trust the 3P is actually encrypting your password on their server.

angelascholder@mastodon.energy

@dangoodin Yeah, great!
Still happy to be using KeePass with the database on our own NAS with a copy in an online recoverable place for a big disaster where we would lose all our electronic devices.

The desktops connect direct to the database file on the NAS. It's synchronised to our netbooks and laptop, and on the mobiles the file is synchronised via WebDAV. So, we have access on all our devices, and it's all under our own control.

angelascholder@mastodon.energy

@tartley @dangoodin I don't really like KeePassXC, but didn't manage to get KeePass back on my Ubuntu machine.

cafeinux@infosec.exchange

@gullevek
Care to elaborate? I suppose Ars published some bad AI slop but I didn't get to witness the drama, so I don't know the details nor the extend of it.
@xlrobot @dangoodin

gullevek@famichiki.jp

@cafeinux @xlrobot @dangoodin https://sfba.social/@jeridansky/116089180436195865

Basically Ars published an article where most of the quotes where made up by AI and the article was about the Mathplot guy who “upset” an LLM agent that then wrote a hate post about beeing rejected from a pull request. The whole thing is just surreal. I lost all hope into the future

rrustema@mastodon.social

@notyourfanboy @dangoodin That version is not supported anymore, is it? I was forced to use their cloud when upgrading from version 7 to 8.

rrustema@mastodon.social

@notyourfanboy @dangoodin I am sorry, I assumed 1Password. Will check out Password Safe!

tab2space@mastodon.social

@dangoodin @tehstu

Likely fine for now, until the next server-hosted "not really zero knowledge" problem is discovered. Very likely, it already has been discovered... So you're down to hoping the discoverer isn't hunting you and your secrets in particular.

cys@ohai.social

@dangoodin @briankrebs How many cybersecurity terms have lost their original strong meaning over time? Two-factor authentication, one time pad, military grade encryption, and now zero knowledge. That’s off the top of my head. There must be other obvious ones I’ve missed.