I’ve long been someone concerned about data security and privacy. I grew up in a time when your passwords were kept securely in your own organic memory if not jotted down on a page somewhere, so the rise of password managers felt like a godsend.
A place to securely store all passwords (and more) for all accounts? Accessible across your devices? Too convenient to pass up. And yet, I still didn’t trust my password manager with the “big” credentials; those, I kept tucked away in my head.
These attacks work even when proper authenticated encryption is used. They are possible because of insufficient key separation in vaults with complex structures and/or a lack of cryptographic binding between data and metadata.
Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, Kenneth G. Paterson
The most popular password managers, like Bitwarden, LastPass, and Dashlane, which together have more than 60 million customers, have all seemingly adopted a stance known as “Zero Knowledge Encryption.”
Largely based on nothing technical, it’s a term designed to create peace-of-mind for users by conveying the idea that what is stored on password manager servers can’t be read by the companies. If the company hosting your encrypted passwords can’t read it, surely no one else who breaks in can, either.
Wrong.
The security researchers discovered several vulnerabilities after hitting these services with “a cornucopia of practical attacks,” noting that these attacks allowed them to “downgrade security guarantees, violate security expectations, and even fully compromise users’ accounts.”
In one example, researchers were able to compromise entire accounts using a vulnerability in account sharing and key escrow utilities. In another example, a lack of ciphertext integrity resulted in keys being swapped out in order to attack vaults.
What’s worse is that the endgame of the majority of these attacks allowed researchers to recover passwords, something that password managers explicitly say they defend against.
Researchers have shared their findings with vulnerable password management companies, and it’s stated that “remediation is underway.”
Windows Central’s advice
I’m always happy for an opportunity to remind people that password security is only getting more important. And despite these research findings suggesting that password managers are, in some ways, vulnerable, they’re still the best way for most people to manage different credentials for each account.
What you should do, however, is consider a switch to a local-only option that doesn’t store data in the cloud. You might also consider switching to hardware-based two-factor authentication. We’ve covered YubiKey in the past as a solid option.
If you are sticking with a standard cloud-based manager, be sure to segment your passwords into several vaults, ensuring your entire digital life isn’t compromised if one should go down.
👉 Microsoft finally makes passkeys viable thanks to Edge on Windows 11 — you can finally sync them across devices
Share your thoughts about password managers
Will you continue using a password manager as usual despite these findings? What is your alternative? Let me know in the comments section!
Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.
