A Bug in Keeper Password Manager Leads To Sparring Over 'Zero-Knowledge' Claim

Keeper, a password manager maker that recently and controversially sued a reporter, has fixed a bug that a security researcher claimed could have allowed access to a user's private data. From a report: The bug -- which the company confirmed and has since fixed -- filed anonymously to a public security disclosure list, detailed how anyone controlling Keeper's API server could gain access to the decryption key to a user's vault of passwords and other sensitive information. The researcher found the issue in the company's Python-powered script called Keeper Commander, which allows users to rotate passwords, eliminating the need for hardcoded passwords in software and systems.

According to the write-up, the researcher said it's possible that someone in control of Keeper's API -- such as employees at the company -- could unlock an account, because the API server stores the information used to produce an intermediary decryption key. "What seems to appear in the code of Keeper Commander from November 2015 to today is blind trust of the API server," said the researcher.

Never understood the appeal of password managers.

[Kenja]

Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.

Re:Never understood the appeal of password manager

[godrik]

well, the spirit is that it is moderately easy to remember one really complex password. That is the one you will use in the password database.
Then all other sites will use randomly generated password stored in that database. So any leak in other services will not give them accesses to anything else than that particular service.
Of course, if your password database gets compromised you are completely pawned. But it is easier to check the security of one place, rather than trusting the security of many places.

What is the alternative? You could remember 200 complex passwords; but I can't and most people can't. So they end up using very simple password which are different on each service, or they use a few complex password that they reuse everywhere. And that is a lot worse.

Re:Never understood the appeal of password manager

Aren't you just putting all your passwords under a single password? Seems like that would make you much more vulnerable.

Agreed. It's a known risk.

But when you're maintaining 20, 30, 50+ passwords for systems you access once a year or so - maintaining a single secure password to a vault of passwords is a trade off. Ideally you want said system to be controlled (I'm not sure I'd want it in the cloud).

Given Keeper's vulnerability record and response - I'd never use them.