Password managers less secure than promised
ethz.ch
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
  • ftbd@feddit.orgEnglish
    30·
    1 day ago

    They advertise that passwords are only stored on the server in encrypted form, meaning they couldn’t read them even if they wanted to (or were forced to by a government agency) and you don’t have to trust them not to. This paper shows that several vulnerabilities exist in the protocol which could be exploited by malicious code running on the server (injected by hackers or a government agency), which would then allow an attacker to obtain cleartext-passwords. So you do, in fact, have to trust the servers integrity.

    • 1984@lemmy.todayEnglish
      13·
      1 day ago

      Thank you for taking the time to understand and comment, very valuable.