Password managers’ promise that they can’t see your vaults isn’t always true

Contrary to what password managers say, a server compromise can mean game over.

See full article...

 

[YetAnotherAnonymousAppellation]

I've been using PasswordSafe since I first found it on Bruce Schneier's site over 25 years ago. It's now open source and I feel it's well maintained. I've never felt the need to look further because of the history and Schneier's status within the security community.

Making sure that all of my devices always have a current copy of the database is a bit of a pain, but I feel far more secure not having it under the control of a site that I have no direct view into. I really hope I'm not fooling myself, but I feel pretty safe.

 

[dangoodin]

While I appreciate anyone bringing security issues to light and making security products better, I have to say that sometimes researchers do oversell their findings. This comes close to the old maxim that once someone has physical access to hardware you're toast.

There really is no such thing as total security. Now if I was someone a lot more important than I am, I'd worry about state-level actors managing a total server compromise of Bitwarden, and targeting my vault for extraction. As it is.. this is not a threat-scenario I lie awake worrying over.

Edit: Also I do support the recommendation of KeePass if you really do need that extra security. Just be very sure you have thought through all the potential issues with syncing it yourself. It can be the most secure option - but if you don't know what you're doing it's probably not.

You read the part discussing the assurances virtually all password managers provide -- you know, where they say even in the event a server is compromised, the "zero knowledge design prevents vaults from being decrypted -- right? How is it overselling for researchers to thoroughly and with incontrovertible evidence debunk all that misleading marketing gimmickry?

 

[logic_88]

It's important to note that all of the Bitwarden attacks appear to be predicated on enterprise/group-level memberships. For individual users, there does not appear to be a corresponding vector.

That being said, no matter what a service says: if their server is compromised, I'm going to change my master password immediately, and assume that every password and login I have has been compromised.

I was a bit confused by the "account recovery" phrasing since in my head, I was thinking about the Bitwarden "recovery codes" but I guess they're different. Supposedly changing encryption key method to Argon2id is also recommended?

 

[Gnafu the Great]

And that is great, I'm not going to talk bad about that. You've got a solution that works for you and that you trust, and I absolutely applaud that.

For me though, this is added risk: how about when I'm not in range of the other devices to update the vault? Am I updating over the open internet via syncthing, or am i using a VPN on every device? Do I run that VPN? If I do, what if my maintenance isn't perfect and the VPN connection goes down?

I do run several home servers and considered a self hosted solution. I ended up deciding that I didn't want to rely on -me- as the primary fault location for all of my passwords. Again, I'm not discounting anyone that does choose that, because it's a different decision tree for everyone's own situation, but it is food for thought.

Syncthing uses encryption with pre-accepted device keys for syncing across the Internet, so there's no need for a VPN and I expect the app would alert you if a remote device started presenting a different key just like if the certificate didn't match for an HTTPS website.

(I know I'm oversimplifying, but the point is that I trust Syncthing with or without a VPN.)

 

[siliconaddict]

New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server—either administrative or the result of a compromise—can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext.

Yada yada yada. Look I get where the researches are coming from and this is a valid thing to acknowledge and think about how to address it.
But this is the same equivalent of an article saying TOTP has been thwarted! When you read the article its a MitM attack so in the strictest sense it is true in the real world it isn't. I mean FFS. This here:

The attack, however, requires the user to log in to LastPass with the browser extension, not the standalone client app.

As one of the above issues is my situation. I have never and will never use browser extensions. Again I'm not saying what the researches are saying is wrong, but it is crying wolf on something that isn't a black and white situation. And frankly if someone has compromised a server. It isn't game over but it sure as hell is far closer to game over then not. It's all about layered security and “zero knowledge” is just another layer.

 

[lslpp]

ive always felt bad relying on these services, first Lastpass, now Bitwarden. This was just the article i needed to finally make the switch to something local. KeepPassXC looked nice since it has browser integration. Setup and importing from Bit took less than 5 minutes. One less thing in the back of my mind to worry about.

 

[ca14129]

Maybe its leaking secrets.. but anymore, my Crucial Passwords* are kept in a portable-based app stash via keyfile-based enc then wrapped inside a encrryped-volume setup that then lands on a cloud drive. I never trusted bitwarden/onepass/etc for that kinda stuff and seem to be increasingly validated. Not bragging at all; this is just the effort i go through to keep things safe.

* and yes some of those bits end up on Other Devices but they are copied local-connection; no cloud-based stuff. Even with all this, one cant help but think all the zero-days can retrieve it but us Lower Folk can skate on the fact we're not important enough to hammer bits with hacking.

 

[DJ Farkus]

I've been using PasswordSafe since I first found it on Bruce Schneier's site over 25 years ago. It's now open source and I feel it's well maintained. ...

I use the same tool, and have always loved the fact that it does not attempt to keep your passwords "in the cloud".

It's local-only, and I only use it to remind myself of passwords I've forgotten. Not for everyone, but works great for me.

 

[ol1bit]

I've used SafeInCloud for many years. I love it as the data is kept only on my goggle drive. Sure If I don't have a hardened password and don't watch access to it, it could be bad. For me, with over 200 logon ids all with unique passwords it's a no brainer.

 

[Fred Duck]

Could a malicious server be coerced by a government?

I feel justified in never using cloud keychains.

 

[ArcCoyote]

I'd quite like to see Apple's Passwords app subjected to the same sort of analysis, since it also has a 'share passwords with family' feature.

My offhand guess would be it is that it would be similarly vulnerable to spoofed keypairs, if you can spoof the keys in the first place.

Apple relies heavily on device and ecosystem security because they have full control over those factors. Even a jailbroken device can't access the private keys in the secure enclave. You would need to have a rogue member enrolled in your iCloud family group for that to work, and Apple does integrity checks on iCloud keys.

There is another sharing mode that relies on Airdrop for wifi networks and other passwords, and the recipient doesn't have to be in your iCloud family but they do need to be in your contacts. That also relies on pre-exchanged iCloud public keys and proximity.

 

[K3ul]

Literally came here to post the same question.

@dangoodin great article, but I think this paragraph could use a little touch up.

I was also confused by this paragraph. If you check the source paper, there is actually a whole annex about 1password.
What I understood of it is two things :

• they are more secure regarding the master password because they ALSO use a crypto key (the so called secret key).
• they are susceptible to similar attacks (two are described : sharing key override, and vault substitution) when using the sharing features, because of how they encrypt the vault key. But this is acknowledged as an architecture limitation in their own white paper, so they didn't even ask for an embargo. The researchers offer mitigation for the vault substitution attack

Source
https://eprint.iacr.org/2026/058.pdf
The last section

 

[sjl]

One or two people have mentioned Apple's Passwords app. IMO it's way too new a product to mess with, even on the level of simple things like accurate import/export to other trusted apps.

Apple's Passwords app is new, but it's just a frontend to the Apple Keychain that's been around since Mac OS 8.6. I'm not sure when Keychain was extended into iCloud, but even that's been a thing for a long time. So whilst I can see where your concern is coming from, it's misplaced.

 

[zogus]

To me the main downside of 1Password and the like is no control over software updating. If their server gets compromised, they can send you a bad version of the software that records and uploads the password needed to access your vault.

What do you mean by this? In order for an attacker to put a compromised 1Password binary on my Mac or iPhone, you can’t just break into the download server and place a tainted binary there, because it would break the the app signature. Instead, they’d have to compromise 1Password’s development environment (which is not the same as the “server”) and sneak some bad code onto their internal repository, hoping the developers don’t notice it before they unwittingly sign and ship the next version. A successful attack in this way is possible via e.g., supply chain attacks onto whatever IDE is being used by 1Password, but it would be rather difficult and dependent on luck.

 

[Marlor_AU]

This is exactly the sort of development I feared when 1Password announced they were doing away with local vaults. I really wish they could find a way to make that an option for users who want it, even if it were to still default to a cloud setup. Id prefer to know the bounds of my attack surface.

The announcement that local vaults would be discontinued was the impetus for me moving away from 1Password (which I'd been using since it was initially promoted in 2007 as part of MacHeist II).

I migrated to a self-hosted VaultWarden instance, which works pretty much identically. It was one of the least-painful software transitions I've made.

 

[Marlor_AU]

Apple's Passwords app is new, but it's just a frontend to the Apple Keychain that's been around since Mac OS 8.6. I'm not sure when Keychain was extended into iCloud, but even that's been a thing for a long time. So whilst I can see where your concern is coming from, it's misplaced.

iCloud Keychain was one of the big new features of iOS 7 (and was announced at WWDC 2013).

The new Passwords frontend is basically just un-burying the functionality from the Settings app.

 

[ChronoReverse]

The announcement that local vaults would be discontinued was the impetus for me moving away from 1Password (which I'd been using since it was initially promoted in 2007 as part of MacHeist II).

I migrated to a self-hosted VaultWarden instance, which works pretty much identically. It was one of the least-painful software transitions I've made.

I've been on self-hosted VaultWarden as well and it wasn't hard to set up. DNS was the hardest part actually.

I use Keepass too but BitWarden's interface is far more convenient and better.

 

[ReadandShare]

I am extremely mega neurotic. I log into non-critical things on my main workstation but I keep a ThinkPad X230 corebooted with Qubes OS and Keepass set via key file + yubikey + password and I have separate VMs there for banking, email and anonymous browsing. I also only log into my gmail (which I use little since I started hosting my own) and apple email there in separate VMs too.

The laptop itself is backed up encrypted to my local NAS, encrypted, and from there, to Amazon Glacier, encrypted before sent. A yubikey-less copy of the password database is stored at a friend's 100km from here.

And I use also random emails, all tracked within keepass and hosted on my own server, to create single-use logins for different services.

I've witnessed too many cases of identity theft affecting my elderly relatives and I just can't otherwise.

Most hacks (esp. those aimed at consumers) are social hacks. Basically, keep OS and apps updated, don't download anything from unfamiliar sites, and don't routinely sign in as "admin". After that, don't click links and don't call numbers listed on anything that comes in unsolicited. Finally, never answer calls from unrecognized numbers - let them leave voice messages. That's 95% safe right there?

 

[Solidstate89]

Curious what changes with being able to reduce hashing iterations with Bitwarden if you're using the newer Argon algorithm instead of PBKDF2. The newer argon needs far fewer iterations to be secure. I think it defaults to like 3 or 4? I have it set to 6 but reducing that to 2 doesn't sound as cripplingly destructive as reducing PBKDF2 to just 2 rounds which it's routinely set to the tens if not hundreds of thousands of hashing iterations.

 

[mad_tasha]

I put my keepass data file on Google drive with a super long password and the keyfile on Onedrive. Free, secure, and no sweat. It has my life in its hands, but I sleep well at night.

 

[SnoopCatt]

There is another sharing mode that relies on Airdrop for wifi networks and other passwords, and the recipient doesn't have to be in your iCloud family but they do need to be in your contacts. That also relies on pre-exchanged iCloud public keys and proximity.

Good point - I had forgotten about the feature where you can share a wifi network password with someone nearby. I've actually used that a couple of times when on holiday with friends. It would make sense if that was just a one-off 'share a copy of this password now' rather than granting semi-permanent access to a password saved in a vault. But it would be nice to know whether that is actually what Apple has implemented.

 

[SnoopCatt]

iCloud Keychain was one of the big new features of iOS 7 (and was announced at WWDC 2013).

The new Passwords frontend is basically just un-burying the functionality from the Settings app.

I suspect there might be a bit more to the app than that: for example, the Passwords app has icons, which were not in iCloud Keychain. And one of the attacks described in the article uses a weakness in the icon feature to get in.

However, I get your point. Do you know when the 'Share Passwords with Family' functionality was added?

<edit to include references to icons>

 

[waryoldguy]

I get that it can be annoying. It’s just, for some reason articles like this one call “Cloud Password Managers” “Password Managers.” So, keepass users probably feel the need to point out that this isn’t a problem with Password Managers, it is a problem with Cloud. Complain to the author, not the commenters with the valid and obvious correction.

This doesn’t seem fair. Most people can’t memorize enough high quality passwords to make this a practical option.

The wrench attack might work. But it has the downside of being easily detectable.

Of course the wrench attack is easily detectable. At the point it is being used against you, that matters not a bit. Your password or your life. Choose quickly, either way it is likely game over.

 

[GFKBill]

I've been using Keepass for years. I back up the one data file to my external drive and to my cloud drive (where it syncs to my phone). It's exactly how I back up my other data files (spreadsheets, documents, photos). Theoretically an easy and straightforward process.

Where I can get tripped up is when I add/update one password on Keepass using, say, my laptop - and then on the same day add/update another password on Keepass with my phone. Oops, now the nightly synching isn't straightforward anymore. As a single user sharing with no one, I just need to be careful. But I can certainly see a potential mess for a family/group trying to keep in sync!

I'm in the same boat, using OneDrive for my KeyPass files. Good luck brute forcing my 15 digit basically-random master password.

Not sure I've ever had sync issues, KeyPass is very good at spotting the db file has changed when it goes to save and asking if you want to sync them. It timestamps all password updates, so it can update to most recent on a per-password-entry basis. The situation you describe shouldn't be a problem barring some OneDrive weirdness.

 

[pseudobscura]

I just want to note that using Syncthing to sync a KeePass database can be done "serverless". Even if I do personally run Syncthing on my home server, you could simply run it on three or four devices and have a decent amount of data safety. If I took my home server out of the mix my password databases would still be on four devices.

I use KeepassXC (desktop) / KeepassDX (mobile), storing the encrypted db on my personal nextcloud server. It works seamlessly, with no conflicts. The only cloud I ever trust is my own cloud.

There are plenty of providers for hosted nextcloud servers, that are super easy to set up, if you don't want to do this from bare metal. Nextcloud lists a ton of them on their website.

 

[_dgc_]

Most of those should be fixed, but I figure a state level actor with either server access, or access to server keys and MitM, will just give you a custom upgrade build that will exfiltrate anything it wants.

 

[Griking]

For the most part most of them are pretty secure. Its the users that are the weakness. If you make it simple recover your master password if you forget it then it defeats the entire point of the secure system

 

[schimmel23]

3. You can't protect against everything. It's okay to say that you are not accounting for the entire Bitwarden server infrastructure being rooted and malicious binaries rolled out to them.

This sounds not so unlikely to me. If I were a malicious actor, I'd certainly target the server infrastructure of the most popular password managers. If this is also the case with chat apps like Signal, I'd be worried too. In many countries, the government is a very likely threat actor. You don't have to be a professional spy.

I'm an immigrant in the US. And I've just moved emails off of Google after the latest subpoenas. I know a lawful subpoena is not the same as hacking Bitwarden. Still changed my mind a bit about threat models.

 

[Hydrargyrum]

The whole point of Keepass is you don't need to care about how you do the synching. You can email it to yourself, stick it on a thumbdrive, or whatever and it is secure. I just use Keepass with Microsoft Onedrive because it just works and I don't have to think about it.

To me the main downside of 1Password and the like is no control over software updating. If their server gets compromised, they can send you a bad version of the software that records and uploads the password needed to access your vault. That said I usually recommend most people to do the cloud password manager over Keepass because as someone else posted, the server compromise risk is a lot lower than all the other password related security risks for normal people.

This is the system I use. To add a little bit of extra security, I keep the password vault file (which changes every time I add a new password or change an existing password) on OneDrive, but I encrypt that file with both a master password and a static keyfile, which doesn't change. The static keyfile I install on all my devices locally - that keyfile is never ever stored in the cloud storage service. Because the keyfile is static, a one-time installation when I set up a new device is not significantly inconvenient.

So, to open my password vault file, the attacker would need to either:
1. break the fundamental encryption algorithms, or
2. compromise one of my endpoint devices to steal both the vault file and a copy of the keyfile (and probably sniff the master key password component as well).

Even if the password vault file leaks from the cloud storage service, it's completely infeasible to obtain the keyfile portion of the decryption key by brute force.

 

[Hydrargyrum]

I've been using Keepass for years. I back up the one data file to my external drive and to my cloud drive (where it syncs to my phone). It's exactly how I back up my other data files (spreadsheets, documents, photos). Theoretically an easy and straightforward process.

Where I can get tripped up is when I add/update one password on Keepass using, say, my laptop - and then on the same day add/update another password on Keepass with my phone. Oops, now the nightly synching isn't straightforward anymore. As a single user sharing with no one, I just need to be careful. But I can certainly see a potential mess for a family/group trying to keep in sync!

For this reason I prefer a more immediate sync process for KeePass files (sync immediately on save). Can SyncThing be configured with file system watchers to do that?

KeePass 2.x for Windows and KeepassXC for Linux/Mac include functions for merging the edits of two versions of the same password file, which is useful if sync conflicts arise.

 

[breze]

Of course the wrench attack is easily detectable. At the point it is being used against you, that matters not a bit. Your password or your life. Choose quickly, either way it is likely game over.

It matters after, though. Assuming it isn’t “game over” (since, in that case, nothing matters), knowing your accounts have been stolen gives you a chance of recovery at least.

 

[Ubersoldat19]

End of the day, KeyPass and any cloud management vault both have their weaknesses. The cloud structure definitely suffers from an eggs-in-one-basket weakness, but it also has the advantage of having huge OpsSec resources (unless it's Lastpass, LOL).

Make no mistake, KeyPass' greatest strength is anonymity. It's kind of a survivor's bias to assume that it's going to be structurally more secure than a professional data center. Bare minimum requirements should be:
1. Routinely updating the firmware/software on your NAS, router, and all network connected devices.
2. Limiting network traffic on your NAS via VLAN and firewall.
3. Containerizing/isolating other software from your NAS.
4. Pre-authorizing devices that can connect. And making sure those devices are secure.
5. Analyzing connections/connection attempts.

I'm fine with using <redacted> as my cloud password manager. Personally, I don't have the desire to play OpsSec for my home network to that extreme of a degree.

Either way, there's just 2 rules to live by:

1. Use MFA/2FA everywhere you can and don't save these in the same vault as your passwords.
2. Don't put your email account passwords in any vault. If your vault gets cracked, you might have a recovery chance if you can still get to your email, since that is going to be used to reset most other passwords. If those get compromised along with everything else, you might as well jump off a bridge.

 

[didhestealtheraisins]

Literally came here to post the same question.

@dangoodin great article, but I think this paragraph could use a little touch up.

It makes sense if you read the paragraph before it.

 

[didhestealtheraisins]

I’m confused by this sentence about 1Password. What’s is it trying to say? That they didn’t analyze it but it would be subject to the same attacks? I feel like a sentence is missing.

Maybe I’m just not getting something obvious.

They analyzed a lot of password managers that had the same vulnerabilities as the top ones but for some reason they’re only allowed to mention 1Password.

 

[mfirst]

As a non-IT end user (who is or used to be kinda techie - heck, I hang out here), I will take this as an opportunity to vent at how insane all of this password stuff has become. I use the Apple ecosystem for most of my stuff and that tracks all my passwords because I dont even know any of them anymore. Regarding work, between 6 different authentication apps, several different 'tap-badges' and all of the different rules regarding 2FA/MFM, password lengths, character combinations, special characters, length requirements, rules for changing, updating, etc not to mention all the stuff that doesnt work (single sign on that doesnt), typically my login and password countless times a day, phone calls to IT at all hours when I get locked out because developers aren't the ones who actually have to use the stuff they create...... and then there are all the stupid sites that require logins for .... why? to harvest my data?

this is all out of control - and getting worse and there is more than enough blame to go around....

this is the world we live in and it aint getting better......

 

[wdmartin]

... LassPass suffered breaches in 2015 and 2022 ...

Oh, my.

I wonder if that typo was in the original paper.

 

[vicntc]

Why does nobody recommend Keeper Password Security. I've been using it for 10 years personally and 5 at work (Govt organization).

It has been substantially scrutinized and always receives top marks.

It's available for all devices (Windows, Apple, Android) and has a browser add-in too.

It's far better than 1Password, Bitwarden amd so forth.