this post was submitted on 17 Feb 2026
183 points (88.9% liked)

Technology

81374 readers
4945 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
183
Password managers are less secure than promised (ethz.ch)
submitted 1 day ago by Beep@lemmus.org to c/technology@lemmy.world
100 comments fedilink hide all child comments
 
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
you are viewing a single comment's thread
view the rest of the comments
[–] Kushan@lemmy.world 120 points 1 day ago (6 children)

From the paper itself:

We had a video-conference and numerous email exchanges with Bitwarden. At the time of writing, they are well advanced in deploying mitigations for our attacks: BW01, BW03, BW11, BW12 were addressed, the minimum KDF iteration count for BW07 is now 5000, and their roadmap includes completely removing CBC-only encryption, enforcing per-item keys and changing the vault format for integrity. On 22.12.25 they shared with us a draft for a signed organisation membership scheme, which would resolve BW08 and BW09. At our request, to maintain anonymity, they have not yet credited us publicly for the disclosure, but plan to do so.

I didn't look at the response to other Password managers, but the gist here is that the article is overblowing the paper by quite a bit and the majority of the "issues" discovered are either already fixed, or active design decisions.

[–] WhyJiffie@sh.itjust.works 7 points 1 day ago* (last edited 1 day ago) (1 children)

but the gist here is that the article is overblowing the paper by quite a bit and the majority of the "issues" discovered are either already fixed, or active design decisions.

"fixed". only for new and updated passwords

https://lemmy.ml/comment/24008121

[–] Appoxo@lemmy.dbzer0.com 1 points 3 hours ago

Or you can change the encryption to argon2 in the settings with salted hashes.
Granted it's probably not per item but at least something.

load more comments (4 replies)