Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Privacy IT Technology

A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim ( 47

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.

According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim

Comments Filter:
  • by Kenja ( 541830 ) on Friday May 18, 2018 @11:24AM (#56633216)
    Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.
    • by Anonymous Coward

      Trust issues aside. You make the password for that service longer and more difficult to discover. As well as not use it anywhere else.

    • by godrik ( 1287354 ) on Friday May 18, 2018 @11:35AM (#56633282)

      well, the spirit is that it is moderately easy to remember one really complex password. That is the one you will use in the password database.
      Then all other sites will use randomly generated password stored in that database. So any leak in other services will not give them accesses to anything else than that particular service.
      Of course, if your password database gets compromised you are completely pawned. But it is easier to check the security of one place, rather than trusting the security of many places.

      What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.

      Agreed. It's a known risk.

      But when you're maintaining 20, 30, 50+ passwords for systems you access once a year or so - maintaining a single secure password to a vault of passwords is a trade off. Ideally you want said system to be controlled (I'm not sure I'd want it in the cloud).

      Given Keeper's vulnerability record and response - I'd never use them.

      • I don't know much about Keeper, but there are many better programs out there, so I have not bothered with it.

        For a provider that provides its own cloud storage, LastPass has been good. They state their compliance measures, and have shown to be resilient, even when attacked. They offer 2FA, which is a must.

        For a password utility that can sync to a cloud provider, I have used EnPass, Codebook, 1Password, and SafeInCloud. EnPass and Codebook are great. 1Password may require an account and a yearly fee for

      • by Ksevio ( 865461 )
        Additionally, you can use multi-factor authentication for the password manager
    • by jon3k ( 691256 )
      The atlernative would be trying to remember hundreds of passwords and most people would end up re-using passwords or using much lower quality passwords. I also can protect that single, complex password using 2FA which means now all my passwords are insanely complex (I let my password manager generarate them, 20+ characters, every character I'm allowed, etc) and getting that one password is very difficult.
    • A password manager is good for the low-to-medium security places you want to visit. The myriad of forums, email accounts, blogs, shopping sites, social media, and places like here. Places that are low to medium importance, places which, if you had to remember the passwords, you would either have to use weak ones or common ones. Password managers shine in that they allow you to have a cryptographically secure and unique password for each of those sites, so that an intrusion into one doesn't reveal your pa

      • The best password manager solution is something that uses an existing cloud provider, like Box, Dropbox, GDrive, or maybe even the "big boys", like Amazon S3, Backblaze B2, Wasabi, Azure, Google Cloud Services, or other providers which have a laundry list of compliancy certifications. That way, it takes two companies to compromise before someone can get the passwords; the password manager and the cloud provider.

        From what I've seen, LastPass has earned its bones, both in doing compliance regs, as well as mi

    • Same reason why facilities people put the building keys in a storage locker. For websites, it is a lot more secure to use something like Dashlane or LastPass secured with 2FA and a good password than to use the same password or variants of it.

      For local passwords, KeePass can be significantly more secure. One can store their KeePass DB on a physically secure USB flash drive, and have it use a password and a keyfile, where an attacker, even if they managed to glean a password, would still have to obtain tho

    • Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.

      For most of us, our email account is the key to the site access kingdom in any case. Or a lot of the kingdom. "Forgot password" ...

      • Very true. However, with 2FA, the password for my E-mail account won't give an attacker a free ticket in.

    • A password manager is a single point of failure that is hardened against attack and difficult to access unless an adversary has specific knowledge about your and your situation. Moreover, the payoff is low, since any given individual is not a valuable target, generally speaking.

      A set of credentials used across multiple sites and services is a multitude of points of failure, the failure of any one of which will result in ALL being compromised. Many of them will not be properly hardened against attack, all of

    • 1. It's much easier to remember one, secure password than it is to try to remember multiple secure passwords
      2. Some password managers are decentralized and offline. You can keep your password book off the internet if you wanted.
    • How do _you_ remember 200+ (unique) passwords?

I've got a bad feeling about this.