but the gist here is that the article is overblowing the paper by quite a bit and the majority of the “issues” discovered are either already fixed, or active design decisions.
“fixed”
Comment on Password managers are less secure than promised
Kushan@lemmy.world 6 hours ago
From the paper itself:
We had a video-conference and numerous email exchanges with Bitwarden. At the time of writing, they are well advanced in deploying mitigations for our attacks: BW01, BW03, BW11, BW12 were addressed, the minimum KDF iteration count for BW07 is now 5000, and their roadmap includes completely removing CBC-only encryption, enforcing per-item keys and changing the vault format for integrity. On 22.12.25 they shared with us a draft for a signed organisation membership scheme, which would resolve BW08 and BW09. At our request, to maintain anonymity, they have not yet credited us publicly for the disclosure, but plan to do so.
I didn’t look at the response to other Password managers, but the gist here is that the article is overblowing the paper by quite a bit and the majority of the “issues” discovered are either already fixed, or active design decisions.
WhyJiffie@sh.itjust.works 1 hour ago
1984@lemmy.today 5 hours ago
I was also just looking for bitwarden information. Its just the best password manager and has never failed to do its job.
ftbd@feddit.org 55 minutes ago
They advertise that passwords are only stored on the server in encrypted form, meaning they couldn’t read them even if they wanted to (or were forced to by a government agency) and you don’t have to trust them not to. This paper shows that several vulnerabilities exist in the protocol which could be exploited by malicious code running on the server (injected by hackers or a government agency), which would then allow an attacker to obtain cleartext-passwords. So you do, in fact, have to trust the servers integrity.
1984@lemmy.today 18 minutes ago
Thank you for taking the time to understand and comment, very valuable.