Any thoughts on this independent security study? Apparently all the major PW managers are insecure

https://www.securityevaluators.com/casestudies/password-manager-hacking/

Anyone elses want to move to a cabin surrounded by landmines on top of a mountain?

Perhaps the recent Cure security audit of Bitwarden deals with these aspects?
@kspearrin is probably the best person to comment on this.

More questions :

  • Did the Cure security audit perform checks listed in the ISE paper ?
  • Does bitwarden provides the guarantees listed in the " Password Manager Security Guarantees" section ?
1 Like

Came here to post this as well. Curious how well bw fares.

Kyle replied on Reddit: https://www.reddit.com/r/Bitwarden/comments/asgdsy/password_managers_under_the_hood_of_secrets/egu6i1r

1 Like

It is concerning for sure!

Bitwarden clears any sensitive vault data, as well as encryption keys from memory whenever the application enters a locked state. We also use other techniques, such as reloading the process after 10 seconds of inactivity on the lock screen, to make sure any managed memory addresses which have not yet been garbage collected are also purged.

5 Likes

Interesting response on the original artcle…the second half of the last paragraph sounds to me like the Bitwarden implementation of the “lock” function. Would you agree @kspearrin ?

“The easiest fix is to change the functionality of the lock button to simply terminate the process, letting the windows kernel zero out any unreferenced pages before re-issuing them to other applications that allocate memory.”

Yes, this is what I just mentioned…

We already do this.

4 Likes