🚨 New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised.
-
Dashlane & Bitwarden promptly issued fixes.
LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zürich team."
In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.The best time to switch from LastPass was yesterday; the second best is today.
️Here's what we recommend
️@privacyguides
Do you have another source for Bitwarden havin fixed the issues? If i am not mistaking, i can't see where they say something explicit about Bitwarden fixing these issues in the linked article. -
@privacyguides This sounds like the kind of thing that cannot just be "fixed". As far as I can tell, *all three were lying* about their servers being dumb storage without access to your secrets. This is a problem of vendor integrity not a technical problem.
@dalias @privacyguides Self-host, some things are better of self hosted. And a password manager is one of them. And better without any internet access, your devices can sync when they are on your local network.
-
@dalias @privacyguides Self-host, some things are better of self hosted. And a password manager is one of them. And better without any internet access, your devices can sync when they are on your local network.
@h0m3 @privacyguides It doesn't even need self-hosting. It just needs the storage backend to be a pure content-agnostic storage backend for opaque encrypted data, not having some control channel interaction that puts the vendor in a privileged position and locks you in to using their cloud infrastructure.
-
@h0m3 @privacyguides It doesn't even need self-hosting. It just needs the storage backend to be a pure content-agnostic storage backend for opaque encrypted data, not having some control channel interaction that puts the vendor in a privileged position and locks you in to using their cloud infrastructure.
@dalias @h0m3 @privacyguides KeePass is the best option if you don't need cloud sync
-
@dalias @h0m3 @privacyguides KeePass is the best option if you don't need cloud sync
@helloclippy @h0m3 @privacyguides Cloud sync is good, but only if it's *your choice* of storage and the storage provider doesn't have backdoor access to the password manager.
-
@helloclippy @h0m3 @privacyguides Cloud sync is good, but only if it's *your choice* of storage and the storage provider doesn't have backdoor access to the password manager.
@dalias @helloclippy @privacyguides Yes. Bitwarden allows you to cloud sync to your instance, even using an alternative server application like vaultwarden. Thats the most important feature for me and i would abandon them if they choose to remove it in the future.
"Its open source but you can only connect to our proprietary servers" is a no-go to me
-
New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised. 
️
LastPass, Dashlane & Bitwarden were identified as being affected, this is significant because cloud password managers commonly claim that their user's data would be unaffected if they were compromised. 
@privacyguides same old story and yet ppl still not convinced to local only password managers like keepassxc...
-
@privacyguides
Do you have another source for Bitwarden havin fixed the issues? If i am not mistaking, i can't see where they say something explicit about Bitwarden fixing these issues in the linked article. -
@timisch @privacyguides Thank you!
-
Dashlane & Bitwarden promptly issued fixes. LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zürich team."In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.
The best time to switch from LastPass was yesterday; the second best is today.
️Here's what we recommend
️@privacyguides
Lastpass is an absolutely AWFUL company.After LogMeIn got their hands on them the prices skyrocketed from $12 to $24 to $36 to $48 a year for their premium plan.
I switched to Bitwarden, who have kept their premium plan at just $10 a year, for many years now.
With ownership of Lastpass now in the hands of not one, but two investment companies, one really has to question where Lastpass's priorities lie.
-
Secure local password managers
️ For more info visit our site: https://www.privacyguides.org/en/passwords/#local-storage @privacyguides keep assium
-
Secure local password managers️ For more info visit our site: https://www.privacyguides.org/en/passwords/#local-storage
@privacyguides what do you recommend for self-hosting a password manager?
-
@dalias @helloclippy @privacyguides Yes. Bitwarden allows you to cloud sync to your instance, even using an alternative server application like vaultwarden. Thats the most important feature for me and i would abandon them if they choose to remove it in the future.
"Its open source but you can only connect to our proprietary servers" is a no-go to me
@h0m3 @dalias @helloclippy @privacyguides
Bitwarden has EU based servers which I would recommend.
The cost for a year of service is very good value IMHO
-
@h0m3 @dalias @helloclippy @privacyguides
Bitwarden has EU based servers which I would recommend.
The cost for a year of service is very good value IMHO
@simonzerafa @h0m3 @helloclippy @privacyguides Where the servers are located doesn't matter if the encryption is done right.
-
@simonzerafa @h0m3 @helloclippy @privacyguides Where the servers are located doesn't matter if the encryption is done right.
@dalias @h0m3 @helloclippy @privacyguides
Regulations might say otherwise. Also Data Sovereignity
-
@dalias @h0m3 @helloclippy @privacyguides
Regulations might say otherwise. Also Data Sovereignity
@simonzerafa @h0m3 @helloclippy @privacyguides If encryption is being used right they aren't storing any personal data, just meaningless random bits. There is a risk of loss of availability but no risk of exposure or misuse.
-
@privacyguides what do you recommend for self-hosting a password manager?
KeePassXC would be our recommendation for an offline password manager. You can see all our recommendations here: https://www.privacyguides.org/en/passwords/#local-storage
