floofloofFeb 16

You probably can't trust your password manager if it's compromised

https://lemmy.ca/post/60541192

You probably can't trust your password manager if it's compromised - Lemmy.ca

cross-posted from: https://infosec.pub/post/42164102 [https://infosec.pub/post/42164102] > Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

Show threadryper

Since the summary doesn’t say which three popular password managers:

As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.

Feb 16 at 11:01pmWeb
Show thread🇦🇺𝕄𝕦𝕟𝕥𝕖𝕕𝕔𝕣𝕠𝕔𝕠𝕕𝕚𝕝𝕖Feb 17
Anything against keepass
Show threadsemFeb 17
Next do proton pass
Show threadMartineskiFeb 17
So I chose the worst pick, eh?
Show threadmyserverisdownFeb 17

No. Because the very nature of passwords and password managers make you immeasurably safer than not using one at all. Password managers in almost all markets detect password compromises and alert you to change them. Doing so is trivial and as long as you catch it in time, you’re much safer and harder to target than almost any other user.

Passwords are like physical locks. Its not about being unpickable or indestructible. Its mostly about raising the barrier of entry high enough that you are an unappealing target. Why would I spend days/weeks/months trying to crack the account of someone using a random string of 14 characters unique to every service and that can change their password within hours or days–when I could instead gain remote access to hundreds of other users that keep a ‘passwords.doc’ file in ~/documents with open permissions? They likely use passwords like ‘Snoopdog2004$’ so they’re easy to brute force, they won’t notice incursions, and can’t easily change passwords that are shared between multiple services.

Show threadClentFeb 17

And glosses over what it claims are the two that dominate market (combined market share of 55%) which negates their headline, since it’s likely the reader is using one of those two password managers.

Source

2024 Password Manager Industry Report and Statistics

Despite benefits, only 36% of U.S. adults use password managers. Google and Apple lead the market, while poor password habits increase security risks.

Security.org