floofloofFeb 16

You probably can't trust your password manager if it's compromised

https://lemmy.ca/post/60541192

You probably can't trust your password manager if it's compromised - Lemmy.ca

cross-posted from: https://infosec.pub/post/42164102 [https://infosec.pub/post/42164102] > Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

Show threadeodur

Bitwarden says all issues have already been addressed.

https://bitwarden.com/blog/security-through-transparency-eth-zurich-audits-bitwarden-cryptography/

Security through transparency: ETH Zurich audits Bitwarden cryptography against malicious server scenarios | Bitwarden

A new in-depth security report is available, continuing the Bitwarden commitment to transparency and trusted open source security. The audit, conducted by the prestigious Applied Cryptography Group at ETH Zurich, proactively tested Bitwarden core cryptography operations against the hypothetical event of a maliciously compromised server. All issues identified in the report have been addressed by the Bitwarden team and have been included in the attached cryptography report for full transparency.

Bitwarden
Feb 17 at 12:37amWeb
Show threadfloofloofFeb 17

Yes, although it sounds like they haven’t finished fixing some of them:

All issues have been addressed by Bitwarden. Seven of which have been resolved or are in active remediation by the Bitwarden team. The remaining three issues have been accepted as intentional design decisions necessary for product functionality.

Edit: There’s more information about the specific threats and remediation steps in the PDF report linked at the end of the Bitwarden blog post:

bitwarden.com/…/pwmgr_paper__1_-combinedÂ__1_.pdf

Show threadAliasAKAFeb 17

Looking through, it seems like for the most part these are very niche and/or require the user to be using SSO or enterprise recovery options and/or try to change and rotate keys or resync often. I think few people using this for personal would be interacting with that attack surface or accepting organizational invites, but it is serious for organizations (probably why they’re trying quickly to address this).

Honestly I think a server being incognito controlled and undetected in bitwardens fleet while also performing these attacks is, unlikely? Certainly less likely than passwords being stolen from individual site hacks or probably even banks. Like at that point, it would just be easier to do these types of manipulations directly on bank accounts or crypto wallets or email accounts than here, but then again, if you crack a wallet like this you get theoretically all the goodies to those too I suppose, for a possibly short time (assuming the user wasn’t using 2FA that wasn’t email based as well).

Not to mitigate these issues. They need to fix them, just trying to ascertain how severe and if individual users should have much cause for concern.

Show threadArrowMaxFeb 17
Regarding a malicious server acting under Bitwarden’s fleet: As I see it, the most vulnerable target would be an organization’s self-hosted Bitwarden server.
Show threadVictorFeb 17
Ah, great. Carrying on…