- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
- Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
- Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
- However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
OMFG can people please fucking go away with this stupid “password managers are worthless” bullshit today. They are exactly as secure as promised, unless you went to the obviously shady ones that use web interfaces. People have been saying this for years, if you want security, keep your password manager offline.
So by that logic BitWarden is unsafe?
Yes, if you arent self hosting the web interface or using the desktop client.
But these issues were patched before even publishing the findings, right?
There is no way to patch the inherent flaw that comes with delivering client software through a web browser. If the entire client is delivered as a web page from a server you dont control, then that server can modify the software however it pleases. Same applies to e2ee encrypted chat clients that run as a web page like element-web (browser based matrix client).
This comment shows that you know less about computers, than you may think. You can definetly make end to end encryption work using a Website. JavaScript runs client side. So as long as you trust the encryption algorithm (which in elements case you definetly can, because it is OSS), the encryption is safe and your unencrypted data never leaves the device.
The point is you are trusting the JavaScript that the server delivered to you. If the server is compromised, it hands you compromised JavaScript and you’re screwed. It’s the exact same thing as going to evil.com and entering your master password. I think that you inherently understand that evil.com is untrusted. However, if passwordmanager.com is compromised by the same people who own evil.com. there’s really no difference.
I understand, but wouldn’t the same problem occur, if the server for the website you download your software from or the server for your package manager would be compromised? Even if you would buy your software physically on a CD, there would be a chance someone has messed with the content on a CD.
So I don’t really see this as a flaw unique to browsers. Am I wrong?
Yes of course you CAN make it safe in theory, but unless you run the web interface locally or on your own server, you cant be certain that the javascript delivered to you from the hoster hasnt been modified. Its like having autoupdates on but you have zero control over when or how the updates take place, because every time you open the page it could be different code from the last time.
How do you know that the code on elements github repo is actually the same code that you get delivered from your homeserver that is hosting the web client? Your homeserver can just modify the web clients code however it wants and deliver a backdoored or faulty version to you. Which means you dont just have to trust the open source code, but also the admin who is managing the homeserver and also the hosting provider.
Is this really so hard to understand? Literally the entire client is delivered on demand from a remote server, obviously that is insecure if you dont control that server.
This feels a bit extreme though. Can you even trust anything online at that point? Do you also never leave your home carrying your wallet in case someone might rob you?
Bro i have my bank details, all my private 2FA, work 2FA, health insurance access, my families master passwords, steam access, and more in there. Its literally the most important piece of software that can exist in this day and age. No im not taking chances with that. The only thing you can do with my physical wallet if you rob me is buy something up to 20€ beyond which you need the cards pin. Everything else i can just deactivate by calling the relevant parties.
But on another note, websites have never really been resistant to MITM attacks. So you dont just have to trust the hoster but also everything in between you and them.
I assume you follow proper backup protocol it you are using offline password management.
How do you sync though? You keep one copy on your phone or something, I imagine? What apps and managers are you using?
KeepassXC is the goat :)
The database file is encrypted so its fine to sync it however you like. I use syncthing for it which is p2p. Obviously set a very good password on it if you sync it through unsecure channels.
according to recent findings, it is.
But the findings were patched before it was even published from my understanding?
not all of them, and some changes only apply to new passwords saved: https://lemmy.ml/comment/24008121