All eight of the top password managers have adopted the term “zero knowledge” to describe the complex encryption system they use to protect the data vaults that users store on their servers.
New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server—either administrative or the result of a compromise—can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext.
They used several techniques. Bitwarden is affected. It’s important to note most attacks assume an attacker has full control over the password manager servers.
We don’t know yet which others password managers are impacted, as they didn’t test those as deep and couldn’t disclose them.
I’m surprised that this didn’t cause a bigger stir – no matter how theoretical the scenarios are, the findings still undermine the whole premise of these encrypted password mangers. I’m considering switching from Bitwarden to KeepassXC. What do you guys think of syncing a Keepass vault with Syncthing – is it secure?
How is this any better? I’m not too concerned about Bitwarden/Vaultwarden yet. I think their PR said they have never been breached before, so I’ll trust them until the privacy community can come up with a better solution. I’m definitely not going back to LastPass. Eff those guys!
Yeah well there’s first time for everything, right? The point of the research was to critically assess the zero-knowledge claims these firms make, and since they don’t quite hold up to scrutiny, I’d like to think a local Keepass database would be more secure from this standpoint. Would be nice to sync it to my phone somehow, but that always brings some risks with it.
