"A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions. "The attacks range in severity from integrity violations to the complete compromise of all vaults in an organization," researchers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson said. "The majority of the attacks allow the recovery of passwords.""
"ZKE is a cryptographic technique that allows one party to prove knowledge of a secret to another party without actually revealing the secret itself. ZKE is also a little different from end-to-end encryption (E2EE). While E2EE refers to a method of securing data in transit, ZKE is mainly about storing data in an encrypted format such that only the person with the key can access that information."
Multiple cloud-based password managers including Bitwarden, Dashlane, and LastPass are susceptible to password recovery attacks under certain conditions. The attacks range in severity from integrity violations of individual vaults to the complete compromise of all vaults in an organization. The threat model supposes a malicious server aiming to examine zero-knowledge encryption (ZKE) promises. ZKE allows one party to prove knowledge of a secret to another without revealing the secret and differs from end-to-end encryption. Twelve distinct attacks affect Bitwarden, seven affect LastPass, and six affect Dashlane. These solutions serve over 60 million users and nearly 125,000 businesses. Several common design anti-patterns and cryptographic misconceptions resulted in vulnerabilities.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]