this post was submitted on 17 Feb 2026
253 points (89.7% liked)

Technology

81451 readers
4451 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
253
Password managers are less secure than promised (ethz.ch)
submitted 2 days ago by Beep@lemmus.org to c/technology@lemmy.world
116 comments fedilink hide all child comments
 
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security โ€“ the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
you are viewing a single comment's thread
view the rest of the comments
[โ€“] unexposedhazard@discuss.tchncs.de 1 points 21 hours ago* (last edited 21 hours ago)

Yes of course you CAN make it safe in theory, but unless you run the web interface locally or on your own server, you cant be certain that the javascript delivered to you from the hoster hasnt been modified. Its like having autoupdates on but you have zero control over when or how the updates take place, because every time you open the page it could be different code from the last time.

So as long as you trust the encryption algorithm (which in elements case you definetly can, because it is OSS)

How do you know that the code on elements github repo is actually the same code that you get delivered from your homeserver that is hosting the web client? Your homeserver can just modify the web clients code however it wants and deliver a backdoored or faulty version to you. Which means you dont just have to trust the open source code, but also the admin who is managing the homeserver and also the hosting provider.

Is this really so hard to understand? Literally the entire client is delivered on demand from a remote server, obviously that is insecure if you dont control that server.