Three of the biggest password managers are vulnerable to 'a cornucopia of practical attacks' say security researchers
Despite banging on about data privacy, my password practices are perhaps not actually that secure. No, I'm not leaving them lying around on post-it notes like my office is just the latest level of an immersive sim, but a recent study suggests that cloud-based password managers ain't it either.
A number of these services tout their 'Zero Knowledge Encryption,' insisting that no one besides you, not even the service itself, can sneak a peek at the contents of your password vault—in theory, anyway. According to a fresh study by a team of security researchers out of ETH Zurich and Universita della Svizzera Italiana, zero knowledge encryption is far from airtight in practice (via Ars Technica).
By closely analysing or reverse-engineering a number of different vendors—including LastPass, Bitwarden, and Dashlane—the team of researchers found "a cornucopia of practical attacks." The paper notes, "Worryingly, the majority of the [team's devised security] attacks allow recovery of passwords—the very thing that the password managers are meant to protect."
Some of the researcher's devised attacks take advantage of vulnerabilities within various password managers' key escrow mechanisms.
For instance, when an admin of a shared password vault either invites a new member or attempts to reset a member's forgotten access code, a number of 'keys' are generated. These keys are sent to the software client of the member in question. The client bundles all of these keys together and encrypts them locally before sending them back to the password manager's server.
The researchers found the resulting ciphertext is not always integrity-checked, meaning a bad actor could swoop in, swap one of the keys sent to the client out for one of their own paired keys, and then use that to decode the resulting ciphertext. This could allow someone to extract a shared vault's key, which could then be used to perform an account recovery on a targeted member of the shared vault. Key pair manipulation can also be used to decrypt and directly modify shared items within a password vault.
To return to the case of inviting a new member, the most unnerving wrinkle to the key escrow attack is that a bad actor could run rampant through a member's vault as soon as the initial invitation to join was accepted.
The team delve into a number of other potential attacks throughout the paper, targeting both multiple password managers' backwards compatible support of older versions, and even a threat model where the server is "fully malicious, meaning that it can deviate arbitrarily from its expected behaviour."
The team found, "Despite [encrypted password vault] vendors’ attempts to achieve security in this setting, we [uncovered] several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities."
Long story short, either an employee working for your password manager of choice, or a malicious actor that has managed to infiltrate its servers, could potentially get more than an eyeful of your passwords. That said, I still doubt Motorola's proposed 'password pill' was ever the future, to say nothing of trying to keep all of your passwords memorised in your very own fallible noggin'.
But even with the paper's findings in mind, password managers are still the best way to store piles of unique passwords—though there are ways to keep your data safe without going to too much hassle. It's a good idea to have your recovery account connected to these services using a separate password that is not included within the password manager's vault, and you should also set 2FA authentication with a separate service to deal with your codes.