A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim (zdnet.com) 47
Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.
According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.
According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.
Never understood the appeal of password managers. (Score:4, Insightful)
Re: (Score:1)
Trust issues aside. You make the password for that service longer and more difficult to discover. As well as not use it anywhere else.
Re:Never understood the appeal of password manager (Score:5, Informative)
well, the spirit is that it is moderately easy to remember one really complex password. That is the one you will use in the password database.
Then all other sites will use randomly generated password stored in that database. So any leak in other services will not give them accesses to anything else than that particular service.
Of course, if your password database gets compromised you are completely pawned. But it is easier to check the security of one place, rather than trusting the security of many places.
What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.
Re: (Score:2)
What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.
You forgot a third option: they (like me) end up using complex passwords, which are different on each service and they write them down in a little notebook. Same idea as using a password manager - except it is not exposed to the internet. And same as with a password manager, if you lose it, or it gets stolen, you are completely owned. You can mitigate it somewhat by 'encrypting' the passwords via some algorithm like 'add a garbage character to each password at position 2 and 5'.
You might as well use KeePass. Sure it's digital but it's local (some folks opt to host the encrypted database). I have it setup to require 2FA (a keyfile on my keychain USB) in addition to a password. I'd say it's a more secure system than your notebook (both of us are subject to rubber-hose cryptography).
Re: (Score:2)
Re: (Score:3, Insightful)
Agreed. It's a known risk.
But when you're maintaining 20, 30, 50+ passwords for systems you access once a year or so - maintaining a single secure password to a vault of passwords is a trade off. Ideally you want said system to be controlled (I'm not sure I'd want it in the cloud).
Given Keeper's vulnerability record and response - I'd never use them.
Re: (Score:2)
I don't know much about Keeper, but there are many better programs out there, so I have not bothered with it.
For a provider that provides its own cloud storage, LastPass has been good. They state their compliance measures, and have shown to be resilient, even when attacked. They offer 2FA, which is a must.
For a password utility that can sync to a cloud provider, I have used EnPass, Codebook, 1Password, and SafeInCloud. EnPass and Codebook are great. 1Password may require an account and a yearly fee for
Re: (Score:2)
I too use Keepass for Linux, Windows and Android. The URL sync is already built-in so I use OwnCloud server that I run at home and sync with that with a key file that I keep locally and a password. I use OwnCloud's application password to keep it separate from my own account. Yes I already have SSL enabled on OwnCloud server. Syncing is pretty fast or use URL direct to open the file.
I don't trust password managers entirely in the cloud.
Re: (Score:2)
Re: (Score:2)
Re:... the appeal of password managers. (Score:1)
A password manager is good for the low-to-medium security places you want to visit. The myriad of forums, email accounts, blogs, shopping sites, social media, and places like here. Places that are low to medium importance, places which, if you had to remember the passwords, you would either have to use weak ones or common ones. Password managers shine in that they allow you to have a cryptographically secure and unique password for each of those sites, so that an intrusion into one doesn't reveal your pa
Re: (Score:2)
The best password manager solution is something that uses an existing cloud provider, like Box, Dropbox, GDrive, or maybe even the "big boys", like Amazon S3, Backblaze B2, Wasabi, Azure, Google Cloud Services, or other providers which have a laundry list of compliancy certifications. That way, it takes two companies to compromise before someone can get the passwords; the password manager and the cloud provider.
From what I've seen, LastPass has earned its bones, both in doing compliance regs, as well as mi
Shouldn't, but should be designed to (Score:2)
Ideally you wouldn't have encrypted password data on any system outside your own control.
Also, ideally you shouldn't care. Ideally, you encrypt the data sufficiently that you don't care who gets the encrypted file. But encryption algorithms routinely get broken, so it's good to have layers of security - nobody can get the encrypted file, AND even if they did, they can't decrypt it.
The password manager companies are pretty much all very small companies. They often buy shared hosting from Hostgator or whoev
Re: (Score:2)
Same reason why facilities people put the building keys in a storage locker. For websites, it is a lot more secure to use something like Dashlane or LastPass secured with 2FA and a good password than to use the same password or variants of it.
For local passwords, KeePass can be significantly more secure. One can store their KeePass DB on a physically secure USB flash drive, and have it use a password and a keyfile, where an attacker, even if they managed to glean a password, would still have to obtain tho
Re: (Score:2)
Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.
For most of us, our email account is the key to the site access kingdom in any case. Or a lot of the kingdom. "Forgot password" ...
Re: (Score:2)
Very true. However, with 2FA, the password for my E-mail account won't give an attacker a free ticket in.
Re: (Score:2)
A password manager is a single point of failure that is hardened against attack and difficult to access unless an adversary has specific knowledge about your and your situation. Moreover, the payoff is low, since any given individual is not a valuable target, generally speaking.
A set of credentials used across multiple sites and services is a multitude of points of failure, the failure of any one of which will result in ALL being compromised. Many of them will not be properly hardened against attack, all of
Re: (Score:2)
2. Some password managers are decentralized and offline. You can keep your password book off the internet if you wanted.
Re: (Score:2)
How do _you_ remember 200+ (unique) passwords?
Re: (Score:2)