π¨ New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised.
-
@privacyguides This sounds like the kind of thing that cannot just be "fixed". As far as I can tell, *all three were lying* about their servers being dumb storage without access to your secrets. This is a problem of vendor integrity not a technical problem.
@dalias @privacyguides Self-host, some things are better of self hosted. And a password manager is one of them. And better without any internet access, your devices can sync when they are on your local network.
-
@dalias @privacyguides Self-host, some things are better of self hosted. And a password manager is one of them. And better without any internet access, your devices can sync when they are on your local network.
@h0m3 @privacyguides It doesn't even need self-hosting. It just needs the storage backend to be a pure content-agnostic storage backend for opaque encrypted data, not having some control channel interaction that puts the vendor in a privileged position and locks you in to using their cloud infrastructure.
-
@h0m3 @privacyguides It doesn't even need self-hosting. It just needs the storage backend to be a pure content-agnostic storage backend for opaque encrypted data, not having some control channel interaction that puts the vendor in a privileged position and locks you in to using their cloud infrastructure.
@dalias @h0m3 @privacyguides KeePass is the best option if you don't need cloud sync
-
@dalias @h0m3 @privacyguides KeePass is the best option if you don't need cloud sync
@helloclippy @h0m3 @privacyguides Cloud sync is good, but only if it's *your choice* of storage and the storage provider doesn't have backdoor access to the password manager.
-
@helloclippy @h0m3 @privacyguides Cloud sync is good, but only if it's *your choice* of storage and the storage provider doesn't have backdoor access to the password manager.
@dalias @helloclippy @privacyguides Yes. Bitwarden allows you to cloud sync to your instance, even using an alternative server application like vaultwarden. Thats the most important feature for me and i would abandon them if they choose to remove it in the future.
"Its open source but you can only connect to our proprietary servers" is a no-go to me
-
E em0nm4stodon@infosec.exchange shared this topic
-
New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised. 
οΈ
LastPass, Dashlane & Bitwarden were identified as being affected, this is significant because cloud password managers commonly claim that their user's data would be unaffected if they were compromised. 
#privacy #security #passwordmanager
Password managers donβt protect secrets if pwned
: Researchers demo weaknesses affecting some of the most popular options
(www.theregister.com)
@privacyguides same old story and yet ppl still not convinced to local only password managers like keepassxc...
-
@privacyguides
Do you have another source for Bitwarden havin fixed the issues? If i am not mistaking, i can't see where they say something explicit about Bitwarden fixing these issues in the linked article.@Papaexmatrikulatus @privacyguides
Security through transparency: ETH Zurich audits Bitwarden cryptography against malicious server scenarios | Bitwarden
A new in-depth security report is available, continuing the Bitwarden commitment to transparency and trusted open source security. The audit, conducted by the prestigious Applied Cryptography Group at ETH Zurich, proactively tested Bitwarden core cryptography operations against the hypothetical event of a maliciously compromised server. All issues identified in the report have been addressed by the Bitwarden team and have been included in the attached cryptography report for full transparency.
Bitwarden (bitwarden.com)
-
@Papaexmatrikulatus @privacyguides
Security through transparency: ETH Zurich audits Bitwarden cryptography against malicious server scenarios | Bitwarden
A new in-depth security report is available, continuing the Bitwarden commitment to transparency and trusted open source security. The audit, conducted by the prestigious Applied Cryptography Group at ETH Zurich, proactively tested Bitwarden core cryptography operations against the hypothetical event of a maliciously compromised server. All issues identified in the report have been addressed by the Bitwarden team and have been included in the attached cryptography report for full transparency.
Bitwarden (bitwarden.com)
@timisch @privacyguides Thank you!
-
Dashlane & Bitwarden promptly issued fixes.
LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH ZΓΌrich team."
In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.The best time to switch from LastPass was yesterday; the second best is today.
οΈHere's what we recommend
οΈ@privacyguides
Lastpass is an absolutely AWFUL company.After LogMeIn got their hands on them the prices skyrocketed from $12 to $24 to $36 to $48 a year for their premium plan.
I switched to Bitwarden, who have kept their premium plan at just $10 a year, for many years now.
With ownership of Lastpass now in the hands of not one, but two investment companies, one really has to question where Lastpass's priorities lie.
-
Secure local password managers
οΈ For more info visit our site: https://www.privacyguides.org/en/passwords/#local-storage @privacyguides keep assium
-
Secure local password managersοΈ For more info visit our site: https://www.privacyguides.org/en/passwords/#local-storage
@privacyguides what do you recommend for self-hosting a password manager?
-
@dalias @helloclippy @privacyguides Yes. Bitwarden allows you to cloud sync to your instance, even using an alternative server application like vaultwarden. Thats the most important feature for me and i would abandon them if they choose to remove it in the future.
"Its open source but you can only connect to our proprietary servers" is a no-go to me
@h0m3 @dalias @helloclippy @privacyguides
Bitwarden has EU based servers which I would recommend.
The cost for a year of service is very good value IMHO
-
@h0m3 @dalias @helloclippy @privacyguides
Bitwarden has EU based servers which I would recommend.
The cost for a year of service is very good value IMHO
@simonzerafa @h0m3 @helloclippy @privacyguides Where the servers are located doesn't matter if the encryption is done right.
-
@simonzerafa @h0m3 @helloclippy @privacyguides Where the servers are located doesn't matter if the encryption is done right.
@dalias @h0m3 @helloclippy @privacyguides
Regulations might say otherwise. Also Data Sovereignity
-
@dalias @h0m3 @helloclippy @privacyguides
Regulations might say otherwise. Also Data Sovereignity
@simonzerafa @h0m3 @helloclippy @privacyguides If encryption is being used right they aren't storing any personal data, just meaningless random bits. There is a risk of loss of availability but no risk of exposure or misuse.
-
@privacyguides what do you recommend for self-hosting a password manager?
KeePassXC would be our recommendation for an offline password manager. You can see all our recommendations here: https://www.privacyguides.org/en/passwords/#local-storage
