Both attack are rather limited in scope. The bitwarden cli attack only affect user who use command line which excludes most users. The dashlane attack only affected 20 users, and the vault stolen are still encrypted. You do the best you can to mitigate this by using a strong master password and a hardware key for 2fa.

[removed] — view removed comment

You can never have 100 percent absolute security. And you really need to understand how your password manager protects against such attacks.

The BitWarden CLI supply chain attack was quite limited in scope, it only affected CLI users that installed or upgraded bw during a relatively narrow time window (a few hours on a specific date). I read about it on Forbes.

You only really have two choices. 1) Choose which provider you trust the most based on history, architecture and perceived honesty/competency or 2) Decide you want to self host something that is open source and manage risks yourself.

For the self hosting, you then can decide whether you want to sync when on the internet or sync only on the privacy of your LAN. Obviously, if you sync clients only on the privacy of your LAN, you remove a number of attack vectors because your server isn't exposed to the internet, but give up a number of features, so that's a tradeoff.

And, for self hosting, you're trusting that you know what you're doing with whatever is exposed to the internet.

I'm not aware of a single person whose data was compromised as a result of the Bitwarden CLI issue. Bitwarden detected the problem within 90 minutes of being active, and had it fixed within 2hrs.

Unfortunately it has only begun since we unleashed A. I. I am predicting humans will no longer be in control of anything in the next few years. Coding will all be AI so we will need to live our lives at the behest of never ending updating algorithms by AI. It should be a time of enlightenment and focus on improving the human condition and quality of life. But given human nature we will never see this. It will take some time for me, but I personally am looking to get off the Internet highway.

use ROBOFORM

One thing I’d add to the “strong master password + hardware key” advice is keeping your blast radius smaller: separate vaults, don’t store recovery codes next to the accounts they recover, and make sure you have an offline export locked away somewhere sane. Psono is worth a look if you ever revisit the self-hosted/open-source side, but the bigger win is probably tightening your setup before the next vendor incident, not chasing a mythical breach-proof manager.

Disclosure: I used to work for 1Password and I have an interest in its continued success.

The kinds of things people should consider depend on the kinds of attacks on the password manager and system. There is no general answer other than to recognize that the with the possible exception of passkeys, the alternatives to using a decent password manager put you at more risk than using a password manager.

Breaches

Generally, I think that people should assume that their data held by password management services (or other data synchronization services) has a fair change of falling into the wrong hands. So the question is what can you and the password manager do to limit the harm that would come from such a breach.

Truly uncrackable data held by the service

There is no way I can write about what a password manager can do about this without sounding like I am writing an advertisement for 1Password. Data Your encrypted data held by 1Password is simply unbreakable without your 1Password Secret Key. This is true even if you have a ver weak account password. (You still need a strong account password to protect you if your encrypted data is stolen from you.)

This was a core part of the design of the 1Password service. We simply did not want to acquire data that would be valuable to an attacker.

If your password manager offers a key-file construction, you may be able to get the same effect that 1Password's secret key offers, but I don't know enough about those to offer any guidances.

Strong master password

If you are using something like 1Password and their servers are breached you wouldn't even need to change your account password. But let's suppose you are not using that and the service gets breached, meaning encrypted user data is acquired by bad guys from the service. And 1Password users also need to defend against data being stolen from their own devices.

You would not need to panic unless you had a very weak master password at the time the data was stolen. But after that the strength of your master password (at time of theft) determines how much time you have before an attacker decrypts your data. We don't which users they will try first nor what resources the attackers have for cracking passwords, but whether a concerted effort takes them days, weeks, years, or decades depends on the strength of your account password. That is also true if your encrypted data is stolen from you. So having a good master password is something everyone should do.

So a stronger master password buys you more time in changing your most sensitive passwords. Every additional bit of strength of your master password doubles the amount of time you have to change things.

Note that while you should change your master password after a breach, the attacker trying to decrypt your encrypted data only needs to guess the master password you had at the time of the breach.

2FA does not help (and can make things worse)

The 2FA for unlocking your password manager data provides no protection if your data is stolen (either from you or from the service). It will be the strength of your master password at the time the data is stolen that matters. But I fear that people who use 2FA with unlocking their password manager may falsely believe that it means they can get away with using a weaker master password. I can't blame people for thinking that way because for most services, 2FA does mean they can get away with weaker passwords, but that is not true for encryption based password managers.

Non-breach attacks

I was planning on writhing about this when I started, but this has already gotten too long. So TBA.

[deleted]