[Source]: ETH Zurich (Eidgenössische Technische Hochschule Zürich)
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
People who regularly use online services have between 100 and 200 passwords. Very few can remember every single one. Password managers are therefore extremely helpful, allowing users to access all their passwords with just a single master password.
Most password managers are cloud based. A major advantage this offers users is the ability to access their passwords from different devices and also share them with friends and family members. Security is the most important feature of these password managers since, ultimately, users store sensitive data in these encrypted storage platforms, commonly called "vaults". This can also include login details for online banking or credit cards.
Most service providers therefore promote their products with the promise of "zero-knowledge encryption". This means they assure users that their stored passwords are encrypted and even the providers themselves have "zero knowledge" of them and no access to what has been stored. "The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable. We have now shown that this is not the case", explains Matilda Backendal.
The team conducted a study to scrutinise the security architecture of three popular password manager providers: Bitwarden, Lastpass and Dashlane. Between them, they serve around 60 million users and have a 23 per cent market share. The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane.
[Journal Reference]: https://eprint.iacr.org/2026/058 (Cryptology ePrint Archive)
(Score: 2) by ichthus on Friday February 20, @04:14AM (4 children)
keepass (xc) isn't mentioned in the paper. So... I'm guessing/hoping it's still a good choice.
(Score: 5, Insightful) by Snotnose on Friday February 20, @04:34AM (1 child)
That's what I've been using for years. Why would you store your password repository in the cloud? While convenient, that seems pretty stupid to me.
Trump's Grave will be the world's most popular open air toilet.
(Score: 2) by ls671 on Friday February 20, @12:23PM
Indeed, at least don't put it in the cloud! I host vaultwarden for a buddy of mine but I use no such thing myself. It is secured as much as possible only accepting connections from our country and running behind a modsecurity reverse proxy web firewall.
It just seems to me like putting all your eggs in the same basket. Also, who says vaultwarden can't be "infiltrated" by some trojan library at some point? Maybe if you are competent enough to write a password manager yourself and use the bare minimum of external libraries, maybe.
Anybody's got an opinion on vaultwarden?
I never looked into it, I only manage the hosting environment and the modsecurity reverse proxy web firewall. My buddy is responsible for updating and managing vaultwarden and he chose and installed that software himself.
Any opinion on vaultwarden is welcome.
-Thanks!
Everything I write is lies, including this sentence.
(Score: 3, Interesting) by aafcac on Friday February 20, @05:16AM
That's what I personally use. And, I'm in the process of getting nextcloud setup and remotely available so that I don't even need to trust the cloud to handle the encrypted files.
(Score: 2) by aafcac on Friday February 20, @07:08PM
This whole thing makes me think that it might not be the worst thing in the world to just create one using xdotool for autotyping and one of the various encryption programs out there to keep the thing secured.
(Score: 5, Informative) by jb on Friday February 20, @05:05AM (1 child)
Oh, come on.
Obviously if you store your passwords on somebody else's computer, they're not going to stay secret for long.
How did anyone fall for that?
(Score: 4, Interesting) by aafcac on Friday February 20, @05:08AM
IIRC, lastpass is particularly egregious as they were lying for quite awhile about what they could access. They were claiming they couldn't see any of it, but somehow they could manage to get the right icons for the various services.
(Score: 3, Touché) by pTamok on Friday February 20, @07:58AM
Colour me in three layers of shocked, surprised, and astonished.
(Score: 3, Informative) by KritonK on Friday February 20, @08:26AM (1 child)
Looking at the paper, the study assumes that "the servers storing users’ vaults are assumed to be fully malicious, meaning that they can arbitrarily deviate from expected behaviour when interacting with clients".
This may or may not hold for the three pasword managers studied in the paper, but it doesn't hurt to be paranoid. However, you can use your own server, instead of relying on other people's servers. In our case, we use Vaultwarden [github.com], an open source reimplementation of the Bitwarden Client API, which is more lightweight than the official Bitwarden server, not to mention that it is actually installable: the official Bitwarden server package wants to download half a gig of packages, and is still missing one dependency. Plus, you don't have to pay a subscription to use their server.
Being open source, one can hope that this server is not "fully malicious".
(Score: 2) by VLM on Friday February 20, @01:14PM
Whats "this server"? It seems like it would be very easy to MITM a scenario like that.
(Score: 3, Insightful) by spiraldancing on Friday February 20, @09:00AM (4 children)
The first headline I saw was something like ... actually, hang on, let me find it ... "Password managers’ promise that they can’t see your vaults isn’t always true" (https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/ [arstechnica.com]). I didn't bother to read the article. I was just bewildered by that pronoun "they". Who TF is "they"? My password manager is sitting right here, and no one but me has access to my 'vault'.
Quit outsourcing your security, people.
Lets go exploring.
(Score: 3, Interesting) by VLM on Friday February 20, @01:09PM (3 children)
You've audited every line of code on your machine and you know there's no unknown zero days on any of the code on your machine or any data that flows in or out? I doubt there's a machine out there safe enough to run a password manager on it. Maybe a 8 bit home computer from the 80s thats been well audited over the decades...
Remember having a password manager installed is like holding up a giant sign with "the good stuff is right over here" written on it. It would probably be good, or better, security practice to install many or all of them and just not use them or have them store fake data to be exfiltrated.
(Score: 1) by Undefined on Friday February 20, @05:04PM (2 children)
Sorry, mouse or my finger glitched. Didn't mean to mod you troll, sigh. Can't change it, either.
I use a dedicated preprocessor to elaborate abbreviations.
Hover to reveal elaborations.
(Score: 3, Interesting) by janrinok on Friday February 20, @05:18PM (1 child)
[nostyle RIP 06 May 2025]
(Score: 1) by Undefined on Saturday February 21, @01:01AM
Thank you, good sir. :)
I use a dedicated preprocessor to elaborate abbreviations.
Hover to reveal elaborations.
(Score: 3, Insightful) by VLM on Friday February 20, @12:56PM (1 child)
Next up will be the expose for passkeys. Trust me bro we're totally going to keep your ssh keys secure. Passkeys are basically passwordless SSH for https where the key handling is automated and obviously extremely untrustworthy.
I'm shocked password managers are "allowed" as they seem to demonstrate multiple security holes. Software coding and architecture based upon "trust me bro", putting all the eggs in one basket, smaller unknown companies trying to improve larger systems, a single point of failure, ownership and control and legal domain of the "trust me bro" people is unclear and probably extremely bad for the end user.
I think you'd be safer storing passwords plaintext in google docs than in a password manager as there's more person-hours of effort put into making my grocery store shopping list secure at google than are put into a typical password manager.
(Score: 2) by JoeMerchant on Friday February 20, @03:18PM
>I think you'd be safer storing passwords plaintext in google docs
With a little obfuscation this is probably true...
If you have two docs, one with the website addresses with formatting like a "my links" file, and then another one with the passwords in plaintext - the gotcha is: most websites still use the, now disavowed by NIST as very bad human factors, password complexity requirements of min length, upper, lowercase digits and special characterss - that's going to be hard to disguise as something like a grocery list.
If you were able to use XKCD style correct horse battery staple passwords, those could be pretty easily disguised as something like "crossword ideas" or whatever, but automated searches for "password-like" text strings will work too well on the required complexity requirements, especially when they are combined with something extra boneheaded like a max of 15 characters (as some banking sites STILL are...)
🌻🌻🌻🌻 [google.com]
(Score: 2) by VLM on Friday February 20, @01:03PM (2 children)
Use browser exploit #1347627 to run some code or otherwise run code on the victim(s) machine. If the machine has C:\shittyPasswordManager.exe on the drive, copy the "encrypted" file and keylogger ask them their password or poke around in memory for their locally stored password or just copy the key off their hard drive. Or just install a trojan'd password manager that uploads all your passwords to China or Israel or whatever the next time its run, thats probably the simplest solution.
Imagine if your entire security system relies on something analogous to "gpg --passphrase `cat secretlocalpassword.txt` passwords.gpg" and marketing analogous to "trust me bro no one would ever think to steal both secretlocalpassword.txt AND passwords.gpg at the same time I'm sure you're totally safe. LOL.
(Score: 3, Insightful) by VLM on Friday February 20, @01:05PM (1 child)
Oh even better Mr "Trust Me Bro" at the password manager company is in charge of key generation. Guess what your key is rotated occasionally, and your key is now 1234 just like a luggage lock.
Or the key only uses the first 32 bits, first 40 bits, etc as has happened numerous times before.
(Score: 1) by DECbot on Friday February 20, @06:28PM
32 bits? Come on, 8-bits so we can have backwards compatibility with the 8088/8086. We need this to run the password
crackingmanager software in an emulator on a graphing calculator.cats~$ sudo chown -R us /home/base
(Score: 2) by Deep Blue on Friday February 20, @10:46PM
Shocked i tell you!
(Score: 4, Interesting) by stormwyrm on Saturday February 21, @12:18PM
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by owl on Saturday February 21, @04:46PM
Title should have been:
Note that the first quoted paragraph begins as: