Contrary to what password managers say, a server compromise can mean game over.

@dangoodin Three things the paper got wrong:

* Bitwarden has a minimum of 5000 iterations (https://github.com/bitwarden/clients/blame/e262441999e4e243f903c8a781fcefc7906fa60c/libs/key-management/src/models/kdf-config.ts#L18).

* 1Password's "KDF Parameter Downgrade" attack doesn't exist because they use a PAKE (SRP6a).

* The mitigations for "KDF Parameter Downgrade" attacks is to give anyone trying to log in a password hash of the user's password. "Further, authenticating security-critical user settings like PBKDF parameters (such as the iteration count) would mitigate the KDF attacks (BW07, LP04). The client can use the server-provided KDF parameters to derive the authentication key, use it to verify the integrity of the parameters themselves, and – in case of a mismatch – abort before any further communication with the server." (page 17) An attacker can guess the password and check the MAC to see if it generated the correct key.

Also this is all I really looked at because I was wondering if they found the downgrade attacks I've been complaining about for ~15 years.

@dchest They also suggest this for Bitwarden and LastPass. So it's exactly the same as that.

"Further, authenticating security-critical user settings like PBKDF parameters (such as the iteration count) would mitigate the KDF attacks (BW07, LP04). The client can use the server-provided KDF parameters to derive the authentication key, use it to verify the integrity of the parameters themselves, and – in case of a mismatch – abort before any further communication with the server."

Bonus this is just so fucking stupid: "PROPOSED MITIGATION. The attack has limited impact, but it would be easy for 1Password to prevent it entirely: the secret key can be used (with proper key derivation) to authenticate the KDF parameters with a cryptographic MAC."... wait do they know about 1Password's "secret key" (previous names were "device key" and "account key"). OK if they do then not completely stupid, but still stupid because a stolen device now gives you offline vs online password guessing and removes the post compromised mitigations. Anyway others might look at that and go "let's to that" and they'll end up giving everyone a hash of your password to crack offline.

You may have seen this paper (https://eprint.iacr.org/2026/058.pdf), but it's not all doom and gloom the authors got a few things incorrect (2 out of 3 of the things I looked for). Like Bitwarden having a downgrade attack all the way down to 1 iteration of PBKDF2 but it's 5000. Also 1Password does not have a downgrade attack because they use a PAKE.

Just found this hilarious bookmark (given current events) to a dead website:
"Exploit Notepad++ upgrade using Evilgrade" October 15, 2014
https://web.archive.org/web/20161014043749/https://cyberinc.co.uk/exploit-notepad-upgrade-using-evilgrade/