16 comments

[ 5.0 ms ] story [ 36.2 ms ] thread
Has there been a similar evaluation of 1Password?
That's why KeePass is still the king. Offline vault > online vault.
>cloud-based password managers

The main issue with these managers. I use an encrypted text file and Emacs, nothing on the cloud for me.

I’m not sure why anybody is surprised. Eventually, everything is proven to be less secure than promised, especially once they are online.

There are certain types of data I prefer to have complete control over. Passwords, no matter how encrypted they claim to be, are top of the list.

We will see when the attacks are public, a lot of the malicious server attacks we have seen in the past were kinda of overblown. Not discounting OP but it is very easy to get into clickbait territory.
Save you the click.

The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane

caveat not properly addressed in the blog post: all "attacks" are assuming full takeover of web servers, which is certainly a scenario that should be protected against, but isn't really a vulnerability unless chained with something else.

almost all online services would be "vulnerable" in this way - take almost any login system. an RCE on a system hosting a login page would obviously be vulnerable to account takeover

better link here (the technical details): https://zkae.io/

> cloud-based password managers.

Enough said. This kind of stuff should be offline only. If you need to access your password database on multiple devices, set up a LAN and/or a Wireguard tunnel for remote access.

Storing encrypted files is the best use case for the cloud. There's absolutely zero reason to set up your own wire guard tunnel if the file is encrypted. You can even throw it on Google drive, if you want.
What a sane idea to store all your secrets in one place.... for attackers to get ahold of them in one move.
The article is nearly useless for users of the software who want to know how their data may have been affected. The researchers' website is more descriptive, especilly wrt specific findings.

https://zkae.io/

Online password managers is the distinction here.
I only want to know if BW01-05, 07, 10-12 and have been addressed. 06 is very minor and known, and 08-09 only appear to apply to organization accounts.
KeePass ftw

Just make sure you have backups