"Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised. The team, comprised of researchers from ETH Zurich and Università della Svizzera italiana (USI), examined the "zero-knowledge encryption" promises made by Bitwarden, LastPass, and Dashlane, finding all three could expose passwords if attackers compromised servers."
"They used a malicious server model to test all of this - setting up servers that behaved like hacked versions of those used by the password managers. Seven of Bitwarden's 12 successful attacks led to password disclosure, whereas only three of LastPass's attacks led to the same end, and one for Dashlane. All three vendors claim their products come with zero-knowledge encryption."
Three popular password managers — Bitwarden, LastPass, and Dashlane — contain flaws that can expose user passwords and sometimes allow entries to be altered when vendor servers are compromised. Zero-knowledge encryption promises that encrypt credentials on devices while servers store only encrypted blobs; these products did not fully prevent disclosure under a malicious-server model. Bitwarden exhibited the most issues, with a dozen successful attacks, seven of which led to disclosure. LastPass showed seven distinct attacks with three leading to disclosure, and Dashlane had six attacks with one leading to disclosure. None of the vendors specify a complete threat model for server compromise.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]