Slashdot Mirror
A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim (zdnet.com)
Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.
According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.
According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.
Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Trust issues aside. You make the password for that service longer and more difficult to discover. As well as not use it anywhere else.
well, the spirit is that it is moderately easy to remember one really complex password. That is the one you will use in the password database.
Then all other sites will use randomly generated password stored in that database. So any leak in other services will not give them accesses to anything else than that particular service.
Of course, if your password database gets compromised you are completely pawned. But it is easier to check the security of one place, rather than trusting the security of many places.
What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.
Is it actually possible to live without one?
Pukians want us to die. They pillaged my city because we support net neutrality and don't want to pay thousands of dollars a month for cable internet with data caps. They hate us and want us to die.
Agreed. It's a known risk.
But when you're maintaining 20, 30, 50+ passwords for systems you access once a year or so - maintaining a single secure password to a vault of passwords is a trade off. Ideally you want said system to be controlled (I'm not sure I'd want it in the cloud).
Given Keeper's vulnerability record and response - I'd never use them.
It is their way. They want anyone who disagrees with them to die. Republicans want us all dead. It is truly their way, and that is sad. They won't rest until Vladimir Putin is dictator of the United States and everyone who opposes him is dead.
The Republicans can't help themselves. It is their way. It is how their kind thinks. They want us all to die. To die.
The Republicans block any attempt to bring Internet faster than dialup to Seattle. They hate us because we don't vote for them. It is their nature and they are bought off by the wealthy and big business.
Republicans don't want us to have password managers. They don't want us to have security. It is a luxury only for wealthy Republicans, to stop leaks that expose their true nature. They hate us and want us all to die.
For the long tail of semi-unimportant accounts, many of us were already using a single password. In that sense, for most people, a password manager is an improvement. Most people have hideous op sec. I am above average, and it ain't pretty still. I don't put passwords in a manager for anything with lots of personal data like email or financial sites. For those, I create unique passwords and memorize them (but hardly ever change them). But, for everything else, a password manager is better than a shared password.
Exactly. Republicans want to make sure they have fast internet and security like password managers, while leaving scraps for the rest of us. It is their way. It is how their kind is.
The atlernative would be trying to remember hundreds of passwords and most people would end up re-using passwords or using much lower quality passwords. I also can protect that single, complex password using 2FA which means now all my passwords are insanely complex (I let my password manager generarate them, 20+ characters, every character I'm allowed, etc) and getting that one password is very difficult.
a password manager is just for copy-and-paste convenience.....
so one doesn't have to flip over the keyboard. it's kinda hard to type a password in while looking at the passwords stuck there.
A password manager is good for the low-to-medium security places you want to visit. The myriad of forums, email accounts, blogs, shopping sites, social media, and places like here. Places that are low to medium importance, places which, if you had to remember the passwords, you would either have to use weak ones or common ones. Password managers shine in that they allow you to have a cryptographically secure and unique password for each of those sites, so that an intrusion into one doesn't reveal your password everywhere else. It allows you to store those passwords in a central repository that is, itself, secured under a high security password. It is easier to remember one or two high security passwords than a few dozen different low and medium security ones.
A "solution" like Keeper is terrible, though. I don't care how much anyone claims they are keeping my passwords secure, I do not trust someone else to own my passwords. External ownership of password data is a horrible solution. A far better solution is KeePass + Syncthing. With KeePass and family you can use secure the database with a password plus key file. The key file can be distributed by sneaker net to all end points that need your database. You can then sync the database across all your devices with Syncthing. Syncthing is versatile, it has end-to-end encryption, can be used as a peer-to-peer and discover the way to end points or, if you don't want to use any third party resources, it can work client-server too. Both KeePass and Syncthing have versions for all platforms. This is the model I went with and I love it.
You still might want to have unique high security passwords for certain things. Banking is one you might consider. Pre-boot whole-disk-encryption passwords (ie: VeraCrypt) are ones you definitely don't want to trust to a password manager. My WDE password is my highest security password and never ever gets exposed to the internet. But for the million other passwords you need, a password manager is your friend.
Same reason why facilities people put the building keys in a storage locker. For websites, it is a lot more secure to use something like Dashlane or LastPass secured with 2FA and a good password than to use the same password or variants of it.
For local passwords, KeePass can be significantly more secure. One can store their KeePass DB on a physically secure USB flash drive, and have it use a password and a keyfile, where an attacker, even if they managed to glean a password, would still have to obtain those. KeePass even allows for identify info from Windows to be used, ensuring that if the DB is copied off, it is not usable.
How long until Keeper sues Slashdot for posting this?
6bed 82ee 17a8 7235
1e7f 8dfa d4f6 3995
1e0a 2bae 3e76 e01e
57dc d49c 8190 4e19
de7a 737f 318a b855
7398 6976 6e35 7c3e
9872 8775 92e3 97e2
db21 814f 45de ce39
The best password manager solution is something that uses an existing cloud provider, like Box, Dropbox, GDrive, or maybe even the "big boys", like Amazon S3, Backblaze B2, Wasabi, Azure, Google Cloud Services, or other providers which have a laundry list of compliancy certifications. That way, it takes two companies to compromise before someone can get the passwords; the password manager and the cloud provider.
From what I've seen, LastPass has earned its bones, both in doing compliance regs, as well as mitigating attacks.
No security tool is a magic bullet. For most sites (everything but banking and other critical stuff), LastPass is good enough. For more critical things, KeePass or KeePassXC on local storage [1] is better.
[1]: There are decent hardware USB flash drives by iStorage and Aegis. They don't depend on the keyboard for PIN entry, so are immune to keyloggers. After a number of times (10, usually), they will erase the contents on the drive.
I don't know much about Keeper, but there are many better programs out there, so I have not bothered with it.
For a provider that provides its own cloud storage, LastPass has been good. They state their compliance measures, and have shown to be resilient, even when attacked. They offer 2FA, which is a must.
For a password utility that can sync to a cloud provider, I have used EnPass, Codebook, 1Password, and SafeInCloud. EnPass and Codebook are great. 1Password may require an account and a yearly fee for access to your own passwords. SafeInCloud is solid, but new. I used to recommend mSecure, but they seemed to have gone the route of requiring an account and subscription fees as well to access your own data.
For a password utility that doesn't sync, KeePass on Windows, and KeePassXZ on macOS or Linux.
Of course, you can always use a CSV file and store that on a TrueCrypt/VeraCrypt volume.
Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.
For most of us, our email account is the key to the site access kingdom in any case. Or a lot of the kingdom. "Forgot password" ...
It seems that way, but it's not. My password manager's database lives on a VeraCrypt volume. The database itself requires a keyfile and a passphrase that is 9 words long, some spelled incorrectly. The liklihood that someone compromises my VeraCrypt volume, my keyfiles, and my passphrase all at once is miniscule compared to the likelihood of one of my online accounts being compromised. The password manager allows me to have truly random 40-character passwords for every site (pwgen -s 40).
Nah, csv file passed via OpenSSL encrypt decrypt in 2 layers - symmetric algo that I know the passphare of and rsa where the key is stored in a smart card
For a password utility that doesn't sync, KeePass on Windows
There are plugins for KeePass that sync to various cloud providers. I keep my KeePass executable and database on a small VeraCrypt volume on Dropbox. Easy access from anywhere without having to download and install KeePass.
Very true. However, with 2FA, the password for my E-mail account won't give an attacker a free ticket in.
The best password manager solution is something that uses an existing cloud provider, like Box, Dropbox, GDrive, or maybe even the "big boys", like Amazon S3, Backblaze B2, Wasabi, Azure, Google Cloud Services, or other providers which have a laundry list of compliancy certifications.
Can't tell if this is a joke. If it is, it's a good one. If it's not, dear God I hope you're not in charge of anybody's security.
Comment removed based on user account deletion
Ideally you wouldn't have encrypted password data on any system outside your own control.
Also, ideally you shouldn't care. Ideally, you encrypt the data sufficiently that you don't care who gets the encrypted file. But encryption algorithms routinely get broken, so it's good to have layers of security - nobody can get the encrypted file, AND even if they did, they can't decrypt it.
The password manager companies are pretty much all very small companies. They often buy shared hosting from Hostgator or whoever. *IF* you're going to have your encrypted password file on someone else's server, it's best to choose a company who has a qualified network security team, qualified application security team, a qualified system security team, routine security audits, etc. IF you're going to use someone else's server, most of the big companies in cloud storage have far, far better security than the little companies. A company who is certified to provide cloud storage to DoD is going to have significantly more mature security than that guy who made an app he calls SecretPassVault or whatever.
What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.
You forgot a third option: they (like me) end up using complex passwords, which are different on each service and they write them down in a little notebook. Same idea as using a password manager - except it is not exposed to the internet. And same as with a password manager, if you lose it, or it gets stolen, you are completely owned. You can mitigate it somewhat by 'encrypting' the passwords via some algorithm like 'add a garbage character to each password at position 2 and 5'.
A password manager is a single point of failure that is hardened against attack and difficult to access unless an adversary has specific knowledge about your and your situation. Moreover, the payoff is low, since any given individual is not a valuable target, generally speaking.
A set of credentials used across multiple sites and services is a multitude of points of failure, the failure of any one of which will result in ALL being compromised. Many of them will not be properly hardened against attack, all of them have locations that are known to attackers, and the payoff for compromising any one is high, since an attacker can acquire credentials for millions or billions of users.
So no, you're not more vulnerable. You're far less vulnerable.
I too use Keepass for Linux, Windows and Android. The URL sync is already built-in so I use OwnCloud server that I run at home and sync with that with a key file that I keep locally and a password. I use OwnCloud's application password to keep it separate from my own account. Yes I already have SSL enabled on OwnCloud server. Syncing is pretty fast or use URL direct to open the file.
I don't trust password managers entirely in the cloud.
Any third party password manager can't be trusted, mainly because you'll never really be sure you're actually installing the legitimate one rather than a compromised copycat short of downloading the source auditing it yourself and compiling it using a secure toolchain. At which point it's be easier to write your own from scratch as it requires at least as much knowledge and skill to find somone else bugs and obfuscated attack vectors as to omit the same from your own work.
For people who don't write their own password manager the only good answers are: a manager that came with your OS (because if your OS is compromised you're screwed anyway), or a pad of paper to which you apply physical security (because if the attacker has physical access to your hardware you're screwed anyway).
Unless your password manager is compromised. For example by a look alike site offering compromised binaries and the legitimate source code from a popular open source manager using SEO or shelling out to be a sponsord result to appear at the top of a naive search.
Then you aren't the specific target anyone attempting to use the popular manager but lacking the skills to defeat the fraud is the target, your additional steps to encrypt are irrelevant as the manager itself is compromised.
Password managers are a good tool, but they need to be built into your OS, otherwise they're just a big tempting target.
Additionally, you can use multi-factor authentication for the password manager
What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.
You forgot a third option: they (like me) end up using complex passwords, which are different on each service and they write them down in a little notebook. Same idea as using a password manager - except it is not exposed to the internet. And same as with a password manager, if you lose it, or it gets stolen, you are completely owned. You can mitigate it somewhat by 'encrypting' the passwords via some algorithm like 'add a garbage character to each password at position 2 and 5'.
You might as well use KeePass. Sure it's digital but it's local (some folks opt to host the encrypted database). I have it setup to require 2FA (a keyfile on my keychain USB) in addition to a password. I'd say it's a more secure system than your notebook (both of us are subject to rubber-hose cryptography).
Make sure everyone's vote counts: Verified Voting
1. It's much easier to remember one, secure password than it is to try to remember multiple secure passwords
2. Some password managers are decentralized and offline. You can keep your password book off the internet if you wanted.
"but they need to be built into your OS" - I think you either underestimate the target profile of entire OS's versus applications, or you're overestimating the amount of time a given OS pays to securing passwords/user data by default.
How do _you_ remember 200+ (unique) passwords?
I've often though that it might be relatively easy for a keylogger to pay attention to what file handles are opened by a password manager to gain access to keyfiles. All they have to do is copy the keyfile at the same time they record the keystrokes.
I came up with an algorithm to generate my passwords based on either the user name, website, or some other factors. Remember a couple twists of the algorithm for sites with crazy passwords requirements and I can recall a near infinite amount of passwords. This protects you from automated attacks. It doesn't protect you from targeted attacks, but targeted attacks will beat you anyway so it's good enough and way better than what most people do. There's always more than two sides/choices to everything.
Since about 90% of online services can have a password reset sent to your email, this is probably true anyway.
Nobody needs 200 plus online password-protected accounts.
You need, to operate in society, maybe five or ten at the most. Probably most people could get by with less.
You can also layer passwords - ie if you really "need" dozens of online news sites or games or whatever the fuck - use a simple password for those essentially throwaway accounts.
Only critical services need a real password and there you can use a master password or three + secret algorithm that lets you differentiate based on the service. None of this needs to be written down, except perhaps in a safe or safety deposit box that your family, heirs or partners have access to if you are incapacitated or die.