Slashdot Mirror
A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim (zdnet.com)
Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.
According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.
According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.
Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Trust issues aside. You make the password for that service longer and more difficult to discover. As well as not use it anywhere else.
well, the spirit is that it is moderately easy to remember one really complex password. That is the one you will use in the password database.
Then all other sites will use randomly generated password stored in that database. So any leak in other services will not give them accesses to anything else than that particular service.
Of course, if your password database gets compromised you are completely pawned. But it is easier to check the security of one place, rather than trusting the security of many places.
What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.
Agreed. It's a known risk.
But when you're maintaining 20, 30, 50+ passwords for systems you access once a year or so - maintaining a single secure password to a vault of passwords is a trade off. Ideally you want said system to be controlled (I'm not sure I'd want it in the cloud).
Given Keeper's vulnerability record and response - I'd never use them.
The atlernative would be trying to remember hundreds of passwords and most people would end up re-using passwords or using much lower quality passwords. I also can protect that single, complex password using 2FA which means now all my passwords are insanely complex (I let my password manager generarate them, 20+ characters, every character I'm allowed, etc) and getting that one password is very difficult.
A password manager is good for the low-to-medium security places you want to visit. The myriad of forums, email accounts, blogs, shopping sites, social media, and places like here. Places that are low to medium importance, places which, if you had to remember the passwords, you would either have to use weak ones or common ones. Password managers shine in that they allow you to have a cryptographically secure and unique password for each of those sites, so that an intrusion into one doesn't reveal your password everywhere else. It allows you to store those passwords in a central repository that is, itself, secured under a high security password. It is easier to remember one or two high security passwords than a few dozen different low and medium security ones.
A "solution" like Keeper is terrible, though. I don't care how much anyone claims they are keeping my passwords secure, I do not trust someone else to own my passwords. External ownership of password data is a horrible solution. A far better solution is KeePass + Syncthing. With KeePass and family you can use secure the database with a password plus key file. The key file can be distributed by sneaker net to all end points that need your database. You can then sync the database across all your devices with Syncthing. Syncthing is versatile, it has end-to-end encryption, can be used as a peer-to-peer and discover the way to end points or, if you don't want to use any third party resources, it can work client-server too. Both KeePass and Syncthing have versions for all platforms. This is the model I went with and I love it.
You still might want to have unique high security passwords for certain things. Banking is one you might consider. Pre-boot whole-disk-encryption passwords (ie: VeraCrypt) are ones you definitely don't want to trust to a password manager. My WDE password is my highest security password and never ever gets exposed to the internet. But for the million other passwords you need, a password manager is your friend.
Same reason why facilities people put the building keys in a storage locker. For websites, it is a lot more secure to use something like Dashlane or LastPass secured with 2FA and a good password than to use the same password or variants of it.
For local passwords, KeePass can be significantly more secure. One can store their KeePass DB on a physically secure USB flash drive, and have it use a password and a keyfile, where an attacker, even if they managed to glean a password, would still have to obtain those. KeePass even allows for identify info from Windows to be used, ensuring that if the DB is copied off, it is not usable.
The best password manager solution is something that uses an existing cloud provider, like Box, Dropbox, GDrive, or maybe even the "big boys", like Amazon S3, Backblaze B2, Wasabi, Azure, Google Cloud Services, or other providers which have a laundry list of compliancy certifications. That way, it takes two companies to compromise before someone can get the passwords; the password manager and the cloud provider.
From what I've seen, LastPass has earned its bones, both in doing compliance regs, as well as mitigating attacks.
No security tool is a magic bullet. For most sites (everything but banking and other critical stuff), LastPass is good enough. For more critical things, KeePass or KeePassXC on local storage [1] is better.
[1]: There are decent hardware USB flash drives by iStorage and Aegis. They don't depend on the keyboard for PIN entry, so are immune to keyloggers. After a number of times (10, usually), they will erase the contents on the drive.
I don't know much about Keeper, but there are many better programs out there, so I have not bothered with it.
For a provider that provides its own cloud storage, LastPass has been good. They state their compliance measures, and have shown to be resilient, even when attacked. They offer 2FA, which is a must.
For a password utility that can sync to a cloud provider, I have used EnPass, Codebook, 1Password, and SafeInCloud. EnPass and Codebook are great. 1Password may require an account and a yearly fee for access to your own passwords. SafeInCloud is solid, but new. I used to recommend mSecure, but they seemed to have gone the route of requiring an account and subscription fees as well to access your own data.
For a password utility that doesn't sync, KeePass on Windows, and KeePassXZ on macOS or Linux.
Of course, you can always use a CSV file and store that on a TrueCrypt/VeraCrypt volume.
Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.
For most of us, our email account is the key to the site access kingdom in any case. Or a lot of the kingdom. "Forgot password" ...
Very true. However, with 2FA, the password for my E-mail account won't give an attacker a free ticket in.
Comment removed based on user account deletion
Ideally you wouldn't have encrypted password data on any system outside your own control.
Also, ideally you shouldn't care. Ideally, you encrypt the data sufficiently that you don't care who gets the encrypted file. But encryption algorithms routinely get broken, so it's good to have layers of security - nobody can get the encrypted file, AND even if they did, they can't decrypt it.
The password manager companies are pretty much all very small companies. They often buy shared hosting from Hostgator or whoever. *IF* you're going to have your encrypted password file on someone else's server, it's best to choose a company who has a qualified network security team, qualified application security team, a qualified system security team, routine security audits, etc. IF you're going to use someone else's server, most of the big companies in cloud storage have far, far better security than the little companies. A company who is certified to provide cloud storage to DoD is going to have significantly more mature security than that guy who made an app he calls SecretPassVault or whatever.
A password manager is a single point of failure that is hardened against attack and difficult to access unless an adversary has specific knowledge about your and your situation. Moreover, the payoff is low, since any given individual is not a valuable target, generally speaking.
A set of credentials used across multiple sites and services is a multitude of points of failure, the failure of any one of which will result in ALL being compromised. Many of them will not be properly hardened against attack, all of them have locations that are known to attackers, and the payoff for compromising any one is high, since an attacker can acquire credentials for millions or billions of users.
So no, you're not more vulnerable. You're far less vulnerable.
I too use Keepass for Linux, Windows and Android. The URL sync is already built-in so I use OwnCloud server that I run at home and sync with that with a key file that I keep locally and a password. I use OwnCloud's application password to keep it separate from my own account. Yes I already have SSL enabled on OwnCloud server. Syncing is pretty fast or use URL direct to open the file.
I don't trust password managers entirely in the cloud.
Additionally, you can use multi-factor authentication for the password manager
What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.
You forgot a third option: they (like me) end up using complex passwords, which are different on each service and they write them down in a little notebook. Same idea as using a password manager - except it is not exposed to the internet. And same as with a password manager, if you lose it, or it gets stolen, you are completely owned. You can mitigate it somewhat by 'encrypting' the passwords via some algorithm like 'add a garbage character to each password at position 2 and 5'.
You might as well use KeePass. Sure it's digital but it's local (some folks opt to host the encrypted database). I have it setup to require 2FA (a keyfile on my keychain USB) in addition to a password. I'd say it's a more secure system than your notebook (both of us are subject to rubber-hose cryptography).
Make sure everyone's vote counts: Verified Voting
1. It's much easier to remember one, secure password than it is to try to remember multiple secure passwords
2. Some password managers are decentralized and offline. You can keep your password book off the internet if you wanted.
How do _you_ remember 200+ (unique) passwords?
Need is one thing. But every site you buy one item from, one time, makes you create an account. You can abandon them and ask for a password reset if you ever do use that site again. But good luck remembering which email account you used, and resetting the password will take extra time. If you store them in an OFFLINE password manager, you can always look them up if you ever need that site again.
-- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.