259
Password managers are less secure than promised (ethz.ch)
submitted 3 months ago by Beep@lemmus.org to c/technology@lemmy.world
117 comments fedilink hide all child comments
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
you are viewing a single comment's thread
view the rest of the comments
[-] CardboardVictim@piefed.social 44 points 3 months ago

For people interested there were 3 cloud based password managers tested and this is what they found

The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane.

[-] sexy_peach@feddit.org 9 points 3 months ago

Is there a reason why these attacks were on cloud based pw managers?

[-] _edge@discuss.tchncs.de 23 points 3 months ago

The method, they use, requires a client-server architecture. Hence, they cannot attack a local keepass file even if you sync it to some cloud.

[-] CardboardVictim@piefed.social 16 points 3 months ago

From what I scanned, there was no reason given on why they only attacked cloud based providers.

My guess is that these are paid ones and thus have a 'market share', easier to attack etc.

If you attack a 'keepass' password the attack vector is more crypto / memory based as far as my limited knowledge goes and not some funky inbetween attack.

Also, if you attack a cloud base provides, you will most likely have multiple victims per breach / exploit, whilst offline are targeted and thus not so interesting in most cases unless we're talking about a person of interest

[-] londos@lemmy.world 4 points 3 months ago

That's where most of the passwords are

[-] Appoxo@lemmy.dbzer0.com 3 points 3 months ago* (last edited 3 months ago)

What I am wondering myself: Do the different amount of attacks mean the attack surface was greater or had more vulnerabilities or what made them only do 6 on Dashlane vs 12 on Bitwarden?

Edit:
In another article it was total identified vulnerabilities.

[-] stephen01king@piefed.zip 3 points 3 months ago

Unfortunately they don't explain what the attacks were in the article. Gonna need to find the paper to know.

[-] artyom@piefed.social 2 points 3 months ago

Yes but unfortunately nothing specific about the strength of any particular option.

this post was submitted on 17 Feb 2026
259 points (89.8% liked)

Technology

85080 readers
4109 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws