You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Every Friday
GamesRadar+
Your weekly update on everything you could ever want to know about the games you already love, games we know you're going to love in the near future, and tales from the communities that surround them.
Every Thursday
GTA 6 O'clock
Our special GTA 6 newsletter, with breaking news, insider info, and rumor analysis from the award-winning GTA 6 O'clock experts.
Every Friday
Knowledge
From the creators of Edge: A weekly videogame industry newsletter with analysis from expert writers, guidance from professionals, and insight into what's on the horizon.
Every Thursday
The Setup
Hardware nerds unite, sign up to our free tech newsletter for a weekly digest of the hottest new tech, the latest gadgets on the test bench, and much more.
Every Wednesday
Switch 2 Spotlight
Sign up to our new Switch 2 newsletter, where we bring you the latest talking points on Nintendo's new console each week, bring you up to date on the news, and recommend what games to play.
Every Saturday
The Watchlist
Subscribe for a weekly digest of the movie and TV news that matters, direct to your inbox. From first-look trailers, interviews, reviews and explainers, we've got you covered.
Once a month
SFX
Get sneak previews, exclusive competitions and details of special events each month!
Despite banging on about data privacy, my password practices are perhaps not actually that secure. No, I'm not leaving them lying around on post-it notes like my office is just the latest level of an immersive sim, but a recent study suggests that cloud-based password managers ain't it either.
A number of these services tout their 'Zero Knowledge Encryption,' insisting that no one besides you, not even the service itself, can sneak a peek at the contents of your password vault—in theory, anyway. According to a fresh study by a team of security researchers out of ETH Zurich and Universita della Svizzera Italiana, zero knowledge encryption is far from airtight in practice (via Ars Technica).
By closely analysing or reverse-engineering a number of different vendors—including LastPass, Bitwarden, and Dashlane—the team of researchers found "a cornucopia of practical attacks." The paper notes, "Worryingly, the majority of the [team's devised security] attacks allow recovery of passwords—the very thing that the password managers are meant to protect."
For instance, when an admin of a shared password vault either invites a new member or attempts to reset a member's forgotten access code, a number of 'keys' are generated. These keys are sent to the software client of the member in question. The client bundles all of these keys together and encrypts them locally before sending them back to the password manager's server.
The researchers found the resulting ciphertext is not always integrity-checked, meaning a bad actor could swoop in, swap one of the keys sent to the client out for one of their own paired keys, and then use that to decode the resulting ciphertext. This could allow someone to extract a shared vault's key, which could then be used to perform an account recovery on a targeted member of the shared vault. Key pair manipulation can also be used to decrypt and directly modify shared items within a password vault.
To return to the case of inviting a new member, the most unnerving wrinkle to the key escrow attack is that a bad actor could run rampant through a member's vault as soon as the initial invitation to join was accepted.
The team delve into a number of other potential attacks throughout the paper, targeting both multiple password managers' backwards compatible support of older versions, and even a threat model where the server is "fully malicious, meaning that it can deviate arbitrarily from its expected behaviour."
The team found, "Despite [encrypted password vault] vendors’ attempts to achieve security in this setting, we [uncovered] several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities."
Long story short, either an employee working for your password manager of choice, or a malicious actor that has managed to infiltrate its servers, could potentially get more than an eyeful of your passwords. That said, I still doubt Motorola's proposed 'password pill' was ever the future, to say nothing of trying to keep all of your passwords memorised in your very own fallible noggin'.
But even with the paper's findings in mind, password managers are still the best way to store piles of unique passwords—though there are ways to keep your data safe without going to too much hassle. It's a good idea to have your recovery account connected to these services using a separate password that is not included within the password manager's vault, and you should also set 2FA authentication with a separate service to deal with your codes.
1. Best gaming laptop: Razer Blade 16
2. Best gaming PC: HP Omen 35L
3. Best handheld gaming PC: Lenovo Legion Go S SteamOS ed.
4. Best mini PC: Minisforum AtomMan G7 PT
5. Best VR headset: Meta Quest 3
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
