cross-posted from: https://infosec.pub/post/42164102
Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…
JFC this headline. BREAKING NEWS: Healthy people die off an old age.
Password managers are supposed to be designed to resist a situation where they’re compromised, and are only ever supposed to see a mysterious blob of encrypted data without ever having access to any information that would help decrypt it. The headline’s more like M1 Abrams Tanks Vulnerable to Small Arms Fire - it’d be totally expected that most things die when shot with bullets, but the point of a tank is that it doesn’t, so it’s a big deal if it does.
What a headline
Additional vendor responses by Bitwarden to put the remediations and threat models into perspective:
I’ll be honest, password managers are like the holy grail of desirable to breech. If you’re using one it will be constantly under attack. It being breeched or vulnerable shouldn’t be a surprise. There isn’t really a secure way to store large amounts of passwords that doesn’t have some vulnerability issues.
breech
breach, right?
That’s why I liked password store, no servers, just my encrypted password files on my own computer, that I sync over to my other devices.
Apparently it’s dying soon through, so I need an alternative.
Uhhhh… What even is this headline
🤯
I just write down password hints on a scrap of paper.
If you don’t have to use your passwords from multiple locations, your hints are intelligible only to you, and you don’t leave the paper anywhere too obvious, this isn’t a bad solution.
Let’s expand that specifically generic headline. "“You probably can’t trust anything if it’s been compromised”. More extra non-news at eleven.
If the entire supply chain up to the software you’re running to perform actual decryption is compromised, then the decrypted data is vulnerable. I mean, yeah? That’s why we use open-source clients and check builds/use builds from separate source, so that the compromission of one actor does not compromise the whole chain. Server (if any) is managed by one entity and only manage access control + encrypted data, client from separate trusted source manage decryption, and the general safety of your whole system remain your responsibility.
Security requires a modicum of awareness and implication from the users, always. The only news here is that people apparently never consider supply chain attacks up until now?
And this is why I always thought a password manager is a bad idea.
Centralizing your passwords means there is one really juicy target, that if compromised, ruins everything.
It’s clearly a risk, but if you have dozens of accounts and passwords it’s hard to come up with a feasible alternative.
my solution is to make variants of my usual password that are so different I end up having to reset my passwords constantly. Lately, I’ve taken to writing my passwords on a piece of paper in my house, which means I can choose more unique ones
Use keepass… don’t use your phone for important stuff. I never get calls or texts. I have no friends.
EDIT:
I’m not being sarcastic y’all. I legit have no friends. The only texts I get are for deliveries or appointment reminders. Legit nothing else.
Since the summary doesn’t say which three popular password managers:
As one of the most popular alternatives to Apple and Google’s own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.
So I chose the worst pick, eh?
No. Because the very nature of passwords and password managers make you immeasurably safer than not using one at all. Password managers in almost all markets detect password compromises and alert you to change them. Doing so is trivial and as long as you catch it in time, you’re much safer and harder to target than almost any other user.
Passwords are like physical locks. Its not about being unpickable or indestructible. Its mostly about raising the barrier of entry high enough that you are an unappealing target. Why would I spend days/weeks/months trying to crack the account of someone using a random string of 14 characters unique to every service and that can change their password within hours or days–when I could instead gain remote access to hundreds of other users that keep a ‘passwords.doc’ file in ~/documents with open permissions? They likely use passwords like ‘Snoopdog2004$’ so they’re easy to brute force, they won’t notice incursions, and can’t easily change passwords that are shared between multiple services.
And glosses over what it claims are the two that dominate market (combined market share of 55%) which negates their headline, since it’s likely the reader is using one of those two password managers.
Bitwarden says all issues have already been addressed.
https://bitwarden.com/blog/security-through-transparency-eth-zurich-audits-bitwarden-cryptography/
Yes, although it sounds like they haven’t finished fixing some of them:
All issues have been addressed by Bitwarden. Seven of which have been resolved or are in active remediation by the Bitwarden team. The remaining three issues have been accepted as intentional design decisions necessary for product functionality.
Edit: There’s more information about the specific threats and remediation steps in the PDF report linked at the end of the Bitwarden blog post:
Looking through, it seems like for the most part these are very niche and/or require the user to be using SSO or enterprise recovery options and/or try to change and rotate keys or resync often. I think few people using this for personal would be interacting with that attack surface or accepting organizational invites, but it is serious for organizations (probably why they’re trying quickly to address this).
Honestly I think a server being incognito controlled and undetected in bitwardens fleet while also performing these attacks is, unlikely? Certainly less likely than passwords being stolen from individual site hacks or probably even banks. Like at that point, it would just be easier to do these types of manipulations directly on bank accounts or crypto wallets or email accounts than here, but then again, if you crack a wallet like this you get theoretically all the goodies to those too I suppose, for a possibly short time (assuming the user wasn’t using 2FA that wasn’t email based as well).
Not to mitigate these issues. They need to fix them, just trying to ascertain how severe and if individual users should have much cause for concern.
Regarding a malicious server acting under Bitwarden’s fleet: As I see it, the most vulnerable target would be an organization’s self-hosted Bitwarden server.
Ah, great, thank you! Carrying on…
Bitwarden. Shit.
These attacks are more around the encryption and all require a fully malicious server. It sounds like Bitwarden is taking these seriously and personally I’d still strongly prefer it to any closed source solution where there could be many more unknown but undiscovered security concerns.
Using a local solution is always most secure, but imo you should first ask yourself if you trust your own security practices and whether you have sufficient hardware redundancy to be actually better. I managed to lose the private key to some Bitcoin about a decade ago due to trying to be clever with encryption and local redundant copies.
Further, with the prevalence of 2FA even if their server was somehow fully compromised as long as you use a different authenticator app than Bitwarden you’re not at major risk anyways. With how poorly the average person manages their password security this hurdle alone is likely enough to stop all but attacks targeted specifically at you as an individual.
Just adding: Passkeys do migitate a lot of these issues as well.
Yeah I use MFA on anything that matters.
It means my authenticator is just riddled with items but it is what it is.
I don’t have the self hosting maturity to share my db across my devices yet. I need to get on that.
Personal recommendation: Start with a selfhosting support software like Casa, Yuno or (my recommendation) Cloudron. Start hosting the app there with frequent backups and occasionally export into regular Bitwarden as a failsafe.
And when you are comfortable switch over to properly self hosted Vaultwarden.
If it’s critical, don’t self host it. It’s not worth it.
I know people will argue; I just need something that works and that I don’t have to worry about patching.
With vault/bitwarden the client handles that sharing for you.
Thats really disappointing. At least the selfhosted version means it would have to be a heavily targeted attack.
I don’t think it should be disappointing. Bitwarden welcomes third party security testing, especially given it is open source. The tests done were just tests, and the issues were already fixed.
Yeah, after seeing their response I’m quite satisfied. They’re one of the good guys and I hope it stays that way.
Which in turn is based off of KeePass, right? So double shit?
deleted by creator
How do you recommend people sync between devices? What about devices that, for security reasons, do not allow flash drives or any external device to be plugged in?
KeePass features a built-in synchronization mechanism. I store my password file on google drive for ease of access on multiple devices. I set up triggers (on save, on custom button) to sync between the local copy and the cloud copy, using this guide: https://keepass.info/help/kb/trigger_examples.html#dbsync
Not a turnkey solution, but once setup it works like a charm.
deleted by creator
So, absolutely no difference in security compared to having a properly secured self-hosted VaultWarden instance. Gotcha.
deleted by creator
