Password managers less secure than promised
ethz.ch
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
  • Kushan@lemmy.worldEnglish
    1681·
    25 days ago

    From the paper itself:

    We had a video-conference and numerous email exchanges with Bitwarden. At the time of writing, they are well advanced in deploying mitigations for our attacks: BW01, BW03, BW11, BW12 were addressed, the minimum KDF iteration count for BW07 is now 5000, and their roadmap includes completely removing CBC-only encryption, enforcing per-item keys and changing the vault format for integrity. On 22.12.25 they shared with us a draft for a signed organisation membership scheme, which would resolve BW08 and BW09. At our request, to maintain anonymity, they have not yet credited us publicly for the disclosure, but plan to do so.

    I didn’t look at the response to other Password managers, but the gist here is that the article is overblowing the paper by quite a bit and the majority of the “issues” discovered are either already fixed, or active design decisions.

    • 1984@lemmy.todayEnglish
      412·
      25 days ago

      I was also just looking for bitwarden information. Its just the best password manager and has never failed to do its job.

      I dont know what they mean with less secure than promised. I didnt expect them to be perfect, and havent read that they promise no security flaws.

      • Appoxo@lemmy.dbzer0.comEnglish
        2·
        24 days ago

        Or you can change the encryption to argon2 in the settings with salted hashes.
        Granted it’s probably not per item but at least something.