this post was submitted on 17 Feb 2026
243 points (89.6% liked)

Technology

81451 readers
4558 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
243
Password managers are less secure than promised (ethz.ch)
submitted 1 day ago by Beep@lemmus.org to c/technology@lemmy.world
112 comments fedilink hide all child comments
 
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
you are viewing a single comment's thread
view the rest of the comments
[–] irate944@piefed.social 23 points 1 day ago* (last edited 1 day ago) (9 children)

Copy pasting a comment that I saw on Reddit

——

Link to the original study (with a less sensationalized title):

https://zkae.io/

A few important notes:

  • the study is about Bitwarden, LastPass, Dashlane and 1Password. Proton Pass isn't mentioned.

  • the study presumes that they're working with a malicious server (read this as compromised server, controlled by an attacker). The attacks they talk about in the article would not work on a normal server. Here's their quote:

No need to panic: all of our attacks presume a malicious server. We have no reason to believe that the password manager vendors are currently malicious or compromised, and as long as things stay that way, your passwords are safe. That said, password managers are high-value targets, and breaches do happen.

  • Here's another quote, about other password managers:

You can ask your provider the following questions:

  1. ⁠Do you offer end-to-end encryption? What security do you provide in case your server infrastructure were to be compromised?
  1. How do you check that public keys and public-key ciphertexts are authentic?
  1. How do you authenticate security-critical settings, such as the KDF type and the iteration count?
  1. Do you provide integrity guarantees for a user's vault as a whole? Can a malicious server add items to your vault?

You can also ask your favourite password manager to commission an audit checking for our attacks in their products.

  • If you still feel unsure/unsafe, then adopt an offline password manager (I highly recommend keepassXC).
[–] CardboardVictim@piefed.social 10 points 1 day ago (6 children)

I too recommend KeepassXC, works even on android with KeepassDX. I use syncthing to sync between devices (work, personal and android)

[–] artyom@piefed.social 1 points 1 day ago (1 children)

Is your data in KeePass encrypted?

[–] remedia@piefed.social 10 points 1 day ago

Yes, it's encrypted. Wouldn't be much of a point if it was just plaintext.

load more comments (4 replies)
load more comments (6 replies)