You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The key feature of Clipperz is that no information is leaked to the third parties. None. Presence or absence of any particular user name cannot be made public - this breaks the basic tenet of secrecy.
Wault password manager is an online service that knows nothing about its users
This is false. Wault leaks usernames, since they are unique. Anyone wanting to confirm the existence of a user name just needs to create a new account with the same username, and the attempt will fail. The existence of the account with that username is now leaked!
This is why password managers must identify a user account by the (username, password) pair. Only someone knowing both will be able to know that a given account exists. If someone only knows the username, they won't be able to confirm or deny the existence of a given user account. This is very important as it gives plausible deniability - there's no way to prove you have your passwords stored on e.g. Clipperz without knowing your password. Just knowing a likely username is not enough: anyone can use that username with their own password.
Password collisions are not a problem, since users are expected to use unique passwords. If any two users have the same password, they have massively messed up already, and their security is an illusion at that point - the uniqueness of usernames only maintains this.
The text was updated successfully, but these errors were encountered:
The key feature of Clipperz is that no information is leaked to the third parties. None. Presence or absence of any particular user name cannot be made public - this breaks the basic tenet of secrecy.
This is false. Wault leaks usernames, since they are unique. Anyone wanting to confirm the existence of a user name just needs to create a new account with the same username, and the attempt will fail. The existence of the account with that username is now leaked!
This is why password managers must identify a user account by the
(username, password)pair. Only someone knowing both will be able to know that a given account exists. If someone only knows the username, they won't be able to confirm or deny the existence of a given user account. This is very important as it gives plausible deniability - there's no way to prove you have your passwords stored on e.g. Clipperz without knowing your password. Just knowing a likely username is not enough: anyone can use that username with their own password.Password collisions are not a problem, since users are expected to use unique passwords. If any two users have the same password, they have massively messed up already, and their security is an illusion at that point - the uniqueness of usernames only maintains this.
The text was updated successfully, but these errors were encountered: