Some may have seen the recent paper from ETH Zurich or summaries of the research such as “Your password manager’s ‘zero knowledge’ promise is broken”
I thought a message about this might reassure users of Kee Vault since some headlines might lead people to conclude that storing encrypted password data on computers you don’t control can never be secure.
The main point of the research is: many password managers that store your passwords on a server (such as in the cloud or your own dedicated server) do not fully live up to their promise of protecting your passwords against their own mistakes or malice.
These 3 facts highlight some of the ways that Kee Vault’s promise of “zero knowledge” is fundamentally different to that of the majority of password managers that offer you secure access to your passwords from anywhere:
- We encrypt your entire Vault on your device, not just parts of it
- The “cloud” portion of the Kee Vault service is just a “dumb” file store rather than the more complex server software being tested by the researchers
- We have always used modern encryption technologies, so are not vulnerable to attacks against legacy technology retained for backwards compatibility reasons
We have built Kee Vault from a premise of complete security and tried to enhance usability in as many ways as possible without sacrificing that core security. Other password management services may have taken a slightly different approach and while this can enable the implementation of useful features such as multi-user sharing, faster saving of changes or resetting your main password without data loss, it also makes the security of their server software and infrastructure a critical part of overall password security (despite their marketing claims to the contrary).
I can confirm that in Kee Vault the list of recommended mitigations are all either not relevant or already designed into the software from the start.
I’m pleased to see this research team shedding light on some specific flaws with the approach of many password managers, and obviously relieved that the fundamental design of Kee Vault means that I have not had to be losing any sleep addressing these issues in Kee Vault this week!