this post was submitted on 16 Feb 2026
204 points (92.1% liked)

Technology

81286 readers
4152 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
204
You probably can't trust your password manager if it's compromised (www.theregister.com)
submitted 18 hours ago by floofloof@lemmy.ca to c/technology@lemmy.world
95 comments fedilink hide all child comments
 

cross-posted from: https://infosec.pub/post/42164102

Researchers demo weaknesses affecting some of the most popular options Academics say they found a series of flaws affecting three popular password managers, all of which claim to protect user credentials in the event that their servers are compromised.…

you are viewing a single comment's thread
view the rest of the comments
[–] floofloof@lemmy.ca 20 points 16 hours ago* (last edited 16 hours ago) (1 children)

Yes, although it sounds like they haven't finished fixing some of them:

All issues have been addressed by Bitwarden. Seven of which have been resolved or are in active remediation by the Bitwarden team. The remaining three issues have been accepted as intentional design decisions necessary for product functionality.

Edit: There's more information about the specific threats and remediation steps in the PDF report linked at the end of the Bitwarden blog post:

https://bitwarden.com/assets/Kki4W785JIPOdFj6EeWB5/1e74e924febb4c6a5ad03eed23b92d23/pwmgr_paper__1_-combined%C3%82__1_.pdf

[–] AliasAKA@lemmy.world 20 points 14 hours ago (1 children)

Looking through, it seems like for the most part these are very niche and/or require the user to be using SSO or enterprise recovery options and/or try to change and rotate keys or resync often. I think few people using this for personal would be interacting with that attack surface or accepting organizational invites, but it is serious for organizations (probably why they’re trying quickly to address this).

Honestly I think a server being incognito controlled and undetected in bitwardens fleet while also performing these attacks is, unlikely? Certainly less likely than passwords being stolen from individual site hacks or probably even banks. Like at that point, it would just be easier to do these types of manipulations directly on bank accounts or crypto wallets or email accounts than here, but then again, if you crack a wallet like this you get theoretically all the goodies to those too I suppose, for a possibly short time (assuming the user wasn’t using 2FA that wasn’t email based as well).

Not to mitigate these issues. They need to fix them, just trying to ascertain how severe and if individual users should have much cause for concern.

[–] ArrowMax@feddit.org 4 points 5 hours ago

Regarding a malicious server acting under Bitwarden's fleet: As I see it, the most vulnerable target would be an organization's self-hosted Bitwarden server.