Many providers promise absolute security
This struck me as wrong, because that would be a technically impossible and liability-inviting thing to promise.
And after checking the homepages of the 3 services they tested, yep, none of them promise “absolute security.”
Would having a synced Keepass database with a composite key protect against this?
When I made my database I created a composite key file that never goes online. I locally copy it to any device that needs to access the database. The idea was even if the password got compromised you can't access the database without the key file
What if you have a house fire and lose all devices with the key
What if there's a nuclear war end the house gets vaporized?
To protect against this scenario I have this small portable computer that I keep in my pocket. They're quite popular these days.
i really wasnt expecting a password manager related tech fearmongering on lemmy today
Don't store your stuff in the cloud unless you don't mind someone else accessing it.
If you store things in the cloud that you don't want other people to access, you better be encrypting it yourself and only opening it locally.
This has been a cardinal rule since day 1.
I don't want people to access my files but I wouldn't really care if they did. I don't understand people who keep things like compromising photos of themselves online, who's benefit is that for, and why do you need quick access to your nudies?
I use local for important stuff (financial) and online ones for things that are not to important.
“We want our work to help bring about change in this industry,” says Paterson. “The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer.”
Great.
Now which password vault was the most cooperative and clear in their security communication and which one wasnt?
The author said that they have given the providers time to fix the issues. Now highlight the ones that did it the best.... >_>
They did gove some advice. They said to go with a vendor that is transparent about problems and reveals the results of their third party security audits. I’m sure if you read between the lines it means they likely reviewed several vendors and chose to spend their time attacking ones that are opaque about their security stance and used outdated encryption or bad implementations of E2E encryption. So all three are likely suspect. Like if 1Password were developed similarly to LastPass wouldn’t they have spent time attacking it?
Edit: https://support.1password.com/security-assessments/
1Password are posting the results of their external pen testing now.
About 1password publishing their pentesting results. Why put it behind a 'give me your email address' wall?
That alone is enough for me to instantly disregard them as an option.
Bitwarden did so too.
But IMO your assumption is a bit of interpreting bad/malicious faith into it.
I see it more like they are the more publicly known brands/services that do this and underwent the audit.
I have read the TLDR by the authors (linked a few times in the comments) and the answer by bitwarden.
Bitwarden said the, fixed the issue, are in the progress of doing it or are accepting it as "this is intended/a trade-off".
What is a bit sad is that they had more vulnerabilities than other vendors. But I trust them more as they are mostly OSS.
With pretty much every major company being hacked at some point, credit card companies being hacked, everyone selling our details and data, doge and palantir. Feels like post it notes under the keyboard isn’t that bad of an idea.
If someone breaks into my house to read them I have big problems already.
You have no idea how many times I’ve made that exact statement.
Let's start a club
Post its have their problems but at least they can’t be read half a globe away
That's why mine is a physical book.
Really depends on your threat model whether this is a good idea. If cops raiding your home is part of it, a physical book might not be your best bet.
That's very true.
If you're at the point where that's a possibility that you need to defend against then you probably already have better security than using a password manager.
Use a offline password manager. Problem solved.
Solves the security issue. Destroys the accessibility part
Just use Syncthing with your trusted host
I just sync it using my Nextcloud instance. No issues.
I use an offline password manager, and sync an encrypted database with nextcloud. It's convenient enough, and secure enough for me. Easy to sync between my phone, desktop, and laptop. And I only need to remember two passwords, the nextcloud one, and the manager one. I don't think you can have it more secure and convenient all the same, at least not with current tech.
Bitwarden with a vaultwarden docker container on my home server. Access over a VPS.
Many will argue that they need the convenience of an online password manager not knowing that what you stated is the safest form
I use one of the password managers mentioned in the article, purely for the convenience of apps on all my devices, syncing and complex individual passwords. Should I be looking to move to self hosting something instead? Would my host (likely a synology Nas or raspberry pi) not then have the same risks?
I self host via vault warden. And I have it locked behind tailscale vpn. Aside from your server itself getting hacked, which is a risk, this is more secure than having passwords on the public internet.
I host a pi hole via diet pi already, vault warden is packaged for diet pi already, project for the weekend!
Love the raspis, just make sure the passwords are not stored on the sd card because those fail all the time hah.
Security through layers. The flaws found here are about compromised server, so hosting your own server is a good first step. Next step is making the server only accessible via your own VPN. And of course hardening the server.
I believe Proton Pass does not have the design flaws shown in the article. For instance, if you lose your password, you lose your data. Your data is encrypted and decrypted on your device.
This is what all the listed password manager claim.
What was done here was tricking the client through the server to do things. So the fixes went into the client application.
From the paper itself:
We had a video-conference and numerous email exchanges with Bitwarden. At the time of writing, they are well advanced in deploying mitigations for our attacks: BW01, BW03, BW11, BW12 were addressed, the minimum KDF iteration count for BW07 is now 5000, and their roadmap includes completely removing CBC-only encryption, enforcing per-item keys and changing the vault format for integrity. On 22.12.25 they shared with us a draft for a signed organisation membership scheme, which would resolve BW08 and BW09. At our request, to maintain anonymity, they have not yet credited us publicly for the disclosure, but plan to do so.
I didn't look at the response to other Password managers, but the gist here is that the article is overblowing the paper by quite a bit and the majority of the "issues" discovered are either already fixed, or active design decisions.
I pitty the fool that stores anything important on ~~the cloud~~ somebody elses computer.
OMFG can people please fucking go away with this stupid "password managers are worthless" bullshit today. They are exactly as secure as promised, unless you went to the obviously shady ones that use web interfaces. People have been saying this for years, if you want security, keep your password manager offline.
tl;dr:
and an observation or two:
How would I know if my own server isn't compromised? Any of the online password managers have a hell of better chance spotting intrusion than I do.
This is a most excellent place for technology news and articles.
