The article argues that password managers are still a smart way to handle passwords, but “zero knowledge” cloud based managers can be weaker than their marketing implies if the provider’s server is malicious or fully compromised. Researchers tested several services and showed how features like shared vaults, group and admin key handling, and account recovery policies can be abused when settings are fetched without strong authenticity or integrity checks. They also describe how an attacker could lower key stretching settings like PBKDF2 iterations to make master passwords easier to crack, or force older, weaker encryption modes through backwards compatibility. The authors stress these are high end, targeted scenarios and many issues have been patched, but they recommend extra caution with recovery and enterprise features, keeping clients updated, and using multi factor authentication.

Recent news