Hacker News new | ask | show | jobs
by LeoPanthera 601 days ago
> add a back door?

What's your threat model here? Some kind of mass hacking attempt? It would be easier to attack the service providers, rather than steal legitimate logins.

A targeted attack on a specific person? It would be easier to, as the famous XKCD suggests, drug and/or hit them with a wrench until they voluntarily hand over whatever information you want.

It's difficult to conceive of a situation where hacking password managers is the path of least resistance.
2 comments
Etheryte 601 days ago
The idea is to sell the dump, this is the case for nearly every dataset you see reported on Have I Been Pwned. I'm not really sure how there is even any question about oh why would anyone do this?
link
grouchypumpkin 601 days ago
Isn’t it the same threat model as Lastpass breach? Login credentials seem to be worth money, and crypto keys even more.
link
pantulis 601 days ago
The comment was referring to Keepassium and Strongbox, which do not store credentials on their servers so it's not exactly the same. While conceivably a compromised Keepass wrapper could decrypt and send the dump of each and every file it opens, I doubt it would pass unnoticed.
link