If you rely on a cloud based password manager, it might not matter if your data is stored in an encrypted state to which only you have the key. If an attacker is able to trick you into thinking you are interacting with the server but you are actually interacting with an attacker's script, it may be possible for an attacker to man in the middle you and get your password info. (At least this is how I understand this attack.)
The team conducted a study to scrutinise the security architecture of three popular password manager providers: Bitwarden, Lastpass and Dashlane. Between them, they serve around 60 million users and have a 23 per cent market share. The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane.
To do this, they set up their own servers that behave like a hacked password manager server. They proceeded on the assumption that, following an attack, the servers behave maliciously (malicious server threat model), and when interacting with clients, such as a web browser, they deviate arbitrarily from the expected behaviour.
Their attacks ranged from integrity violations affecting specific, targeted user vaults to the complete compromise of all vaults within an organisation using the service. In most cases, the researchers were able to gain access to the passwords – and even make changes to them.
Password managers, like Bitcoin specific hardware companies, are definitely honeypots. Not necessarily bad, but something to consider in how you use them.
"Due to the large amount of sensitive data they contain, password managers are likely targets for experienced hackers who are capable of penetrating the servers and launching attacks from there,” says Paterson, Professor of Computer Science at ETH Zurich.
Definitely a concern, but what better solutions are there? Self hosting is probably out of the question for most people. These days people have to maintain 100s to 1,000s of passwords. Impossible to remember all. Alternative is to use single password for everything (bad idea), or go with biometrics (do we want to go there?)
KeepassXC + Syncthing + Keepass2Android
Self-hosted, synchronized across all devices with easy to use interface, compatible with at least Android and Yubico hardware.
Sorry, this is the link for Keepass2Android.
My naive mind says it would be cool if routers came with password manager hosting software preinstalled and easy to setup, but then again...do people ever update their routers? So they'd probably be even more vulnerable.
Routers have probably the worst security 🤣
did you read the in-depth post linked from the Krebs you posted about Kimwolf?
I use proton pass
Could be that they have similar problems.
and I thought they were perfect, damn, my bubble has burst
At least it's open-source.
You could take keypass for example. This has other tradeoffs and risks, but is a good alternative.
More information can also be found here: https://zkae.io/
The one thing I've done is take a really good older local password manager, read the source once. Follow for security advisories and do everything else myself. Build procedures for backup. Never put it online.... I don't recommend anyone do this unless you're comfortable implementing cryptography, reading c++ code... and so on.
The solution I recommend somewhat tech literate normies nowadays is keepass, but that's a concession, even if someone is literate enough to use it with a yubikey.
Looks like we're going back to good ol pen and paper.
go for Nitrokey
please do not namedrop; expound, or at least, link.
googlebombing is cheaper than spinning up new liquidity providers, for some of the SN readers.
What is Stacker News?
It is a social media platform intentionally created to enable a P2P V4V BTC denominated community.
Originally Stacker News (SN) custodyed sats on behalf of participants but the threat of government regulatory prosecution on the pretext of money transmitter forced a move away from the custody of sats by the platform to the platform enabling participants to send sats via their wallets.
To achieve this participants need to attach wallets to both send and receive sats.
Where participants do not or cannot attach LN wallets transactions will often default to Cowboy Credits.
This change was a compromise forced by the threat of government prosecution.
The difficulty of attaching both sending and receiving wallets is moderate- it takes some effort and newbie or non tech people may struggle with it, but most competent Bitcoiners can succeed in attaching wallets and thus enabling sats denominated P2P transactions.
But a number of Stackers have chosen not to attach wallets- in particular sending wallets which enable you to send sats into the SN community.
Very few have attached just a sending wallet- many have attach just a receiving wallet.
Those who only attach a receiving wallet can receive sats from others but cannot send sats into the community. They may feel that as content providers they have no need or obligation to send sats into and within the SN community. I disagree.
Where these receive but not send (horse but no gun) Stackers proclaim to be Bitcoiners but refuse to enable a sending wallet they are demonstrably hypocrits. They claim they want to build and grow the BTC LN MoE network but they cannot be bothered contributing toward that growth by attaching a sending wallet and demonstrating they are not just talking, but are also walking and supporting a sats denominated platform.
If we do not use the LN wherever and whenever we can it will not grow and develop.
Some claim it is too hard to attach wallets- its too hard on their self custody nodes or wallets- this just highlights how much work the LN still needs before it is capable of anything approaching 100% reliable MoE capability.
But the best way to grow and strengthen the LN is it use it – despite its remaining flaws and glitches.
When wallets are supported by people using them they receives transaction fees and can develop liquidity and systems further.
When LN wallets are not used the LN decays- it does not have the usage and fees income to grow.
So when self proclaimed advocates for BTC and LN refuse to attach wallets (especially sending wallets) I see hypocrit.
I will continue to see hypocrit until and unless someone can explain why I should not.
Calling me a Nazi, trolling and making fun of me crudely seeking to avoid the issues I raise will not stop me from asking why are you claiming to be a Bitcoiner but refusing to attach wallets and use the LN here where we can help it grow.
Now some are deliberately concealing their wallet status, as if this is about a right to privacy.
Concealing your wallet status means nobody else can verify whether or not you are serious about using BTC LN, or whether you are just an all talk no walk hypocrit.
Do not trust- verify.
What about this fundamental principle do they not understand?
And then they talk about 'content' being more important than whether or not you have attached wallets - in this context the intentional lack of attached wallets undermines your credibility as your actions do not match your words.
Your submitted content may be great, but you as someone claiming to be a serious Bitcoiner are undermining your credibility and the credibility of your content by being a hypocrit.
Your content, is tainted by your verifiable hypocrisy.
SNs needs both good content providers and those who pay for that content if it is succeed.
I am more in the latter group than the former but both are required overall or the model does not work.
So as a net contributor of sats and thus a net consumer of content I object where content providers refuse to engage in the P2P V4V ethos by refusing to attach both sending and receiving wallets and I will both withhold my contribution of sats and sometimes downvote in response.
V4V needs to work reciprocally or it will not work at all.
The content providers need net sats contributors/content consumers who send sats into the platform, or the entire platform fails.
deleted by author