this post was submitted on 17 Feb 2026
193 points (89.4% liked)

Technology

81451 readers
4543 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
193
Password managers are less secure than promised (ethz.ch)
submitted 1 day ago by Beep@lemmus.org to c/technology@lemmy.world
104 comments fedilink hide all child comments
 
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
you are viewing a single comment's thread
view the rest of the comments
[–] felbane@lemmy.world 87 points 1 day ago (5 children)

tl;dr:

  1. If the password manager server is hacked and compromised, then syncing your passwords with the compromised server will lead to compromised passwords (duh)
  2. None of the providers tested have (or have had in the past) compromised servers.

and an observation or two:

  • Vaultwarden is free, self-hostable, and doesn't rely on trust in a third party.
  • Keepass (and its client variants, like KeepassXC which is pretty great) is even more secure because there is no server, just an encrypted file you can store anywhere.
[–] HereIAm@lemmy.world 1 points 2 hours ago

How would I know if my own server isn't compromised? Any of the online password managers have a hell of better chance spotting intrusion than I do.

[–] iglou@programming.dev 3 points 9 hours ago (1 children)

If the password manager server is hacked and compromised, then syncing your passwords with the compromised server will lead to compromised passwords (duh)

No, not "duh". The right way to do this is client-side encryption/decryption. The server then does not at any moment know anything about your passwords.

[–] felbane@lemmy.world 1 points 57 minutes ago (1 children)

This is what Bitwarden claims to do, and yet we have a paper showing that with a compromised server there exists a vulnerability.

[–] iglou@programming.dev 1 points 33 minutes ago

What they claim to do and what they do is not necessarily the same. If done properly, the server does not need to be trusted.

[–] patatahooligan@lemmy.world 3 points 11 hours ago (1 children)

If the password manager server is hacked and compromised, then syncing your passwords with the compromised server will lead to compromised passwords (duh)

What do you mean "duh"? The password managers claim that the exact opposite is true.

Most service providers therefore promote their products with the promise of “zero-knowledge encryption”. This means they assure users that their stored passwords are encrypted and even the providers themselves have “zero knowledge” of them and no access to what has been stored. “The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable. We have now shown that this is not the case”, explains Matilda Backendal.

This would be true for a properly implemented end-to-end encryption scheme.

[–] felbane@lemmy.world 1 points 56 minutes ago* (last edited 52 minutes ago)

"Properly implemented" is doing the heavy lifting in that sentence.

Four paragraphs down from your quote is this:

Their attacks ranged from integrity violations affecting specific, targeted user vaults to the complete compromise of all vaults within an organisation using the service. In most cases, the researchers were able to gain access to the passwords – and even make changes to them. 

If E2EE were properly implemented, the above would be impossible.

[–] orclev@lemmy.world 42 points 1 day ago* (last edited 1 day ago) (2 children)

Keepass (and its client variants, like KeepassXC which is pretty great) is even more secure because there is no server, just an encrypted file you can store anywhere.

And simultaneously less secure because it's up to you to handle keeping your vault synced between various devices and most people are significantly worse at keeping systems secure than the professionals at the password managers.

Self hosting a server of some kind or using something like Keepass on a single device (with offline backups) is the most secure option, but as usual with security doing so trades significant convenience for security. For most people who are uninterested in making sure their servers are kept up to date week to week letting professionals handle it is the better option.

[–] shortwavesurfer@lemmy.zip 4 points 23 hours ago (1 children)

I store my keypass database on several flash drives in different physical locations and update them several times per year to make sure that even if I do lose the copy I have, the versions on the flash drives, not at my physical location, are decently up to date, and so if I do lose any of the password data, it will be only for a couple of months worth if that.

If I add things that are extremely important, such as a new mortgage provider, or some sort of financial data into my keypass database, then I do an unscheduled immediate update to all of my flash drives in different physical locations to make sure that they all have that, but if it's just a social media account, and I was to lose access to it, and not have the password for it, then... I wouldn't be too upset about it.

In the absolute worst possible case, I stand to lose 3 months worth of data. It's not often that I have to tweak stuff in my password manager, so that would be very few changes.

[–] Appoxo@lemmy.dbzer0.com 3 points 5 hours ago (1 children)

Great.
I am now your spouse and you want to give me access to the flash drive. What now?

New requirement: I have several passwords I want to give you access to as well. What now?

As with everything: Your solution may work for yourself and a few others. The majority don't want to collect 5 flash drives in different locations every 3 months to update a file (and making sure it's the correct vault they have copied)

[–] shortwavesurfer@lemmy.zip 1 points 4 hours ago (1 children)

PThe master copy stays on my device. If I need to give somebody access to a specific password, I just give them that password locally and they put it in their password manager for that account.

Same thing occurs if they need to give me a password. They give me the password. I put it in my password manager and then I'm the one who updates the flash drives on the rotating basis like I mentioned above.

[–] Appoxo@lemmy.dbzer0.com 1 points 2 hours ago

Great.
Now your data is (potentially) exactly where you are trying to keep it out of.

So you made it more cumbersome to yourself by keeping your data as local as possible, yet still chosing to give up the tiny sliver of additional security for the comfort of others.

I don't want to be annoying. But I hope you see what I am trying to convey.

[–] felbane@lemmy.world 8 points 1 day ago (1 children)

Sure, but at the end of the day even if you don't update your vaultwarden server or you rely on an insecure storage sync system like dropbox, your actual vault is encrypted with a key that only you know. Even if your server is hacked or the kdbx is leaked, your passwords are safe until someone breaks AES.

Contrast that with hosted services, who could very easily attach their own keys to your encryption key (whether now or in the future at the behest of the state) and you'd be none the wiser. E2EE doesn't matter much when the other end is controlled by someone else.

I'm not disagreeing that most people just want something to work without thinking about, and for that reason I'm glad that services like bitwarden and lastpass and protonpass exist. My intent was not FUD, just shining a light on the fact that keeping your passwords secure does not require trusting a company.

[–] WhyJiffie@sh.itjust.works 1 points 1 day ago

Sure, but at the end of the day even if you don't update your vaultwarden server or you rely on an insecure storage sync system like dropbox, your actual vault is encrypted with a key that only you know. Even if your server is hacked or the kdbx is leaked, your passwords are safe until someone breaks AES.

not really the case: https://lemmy.ml/comment/24008121

Contrast that with hosted services, who could very easily attach their own keys to your encryption key

how would official Bitwarden be able to accomplish that? apart from this vulnerability, they can't use their servers to add their own keys.

[–] ChairmanMeow@programming.dev 3 points 23 hours ago

These attacks can happen through server impersonation as well. The actual cloud servers need not be compromised, just the user's browser has to be. This attack can then leak passwords and allow malicious parties to even gain access on the actual cloud servers apparently.