X_Cli ⏚Oops, Bitwarden, Lastpass and Dashlane are not that secure: https://eprint.iacr.org/2026/058.pdf
12 attacks on #Bitwarden, 7 on #Lastpass and 6 on #Dashlane.
Some of them can cause full vault compromise. Each of them have a working PoC.
cryptosteveSehr interessanter Beitrag auf @peertube
https://peertube.heise.de/w/j2SFMRdHi3yBupW9JjP9XH
"KI-Passwörter sind unsicher - und das ist kein Bug“
(mit einem Schwenk auch zu Passwort-Managern)
#bitwarden #lastpass #dashlane #keepassxc
KI-Passwörter sind unsicher – und das ist kein Bug
Privacy GuidesTop 3 Password Managers Weren't Zero Knowledge?!
#password #cybersecurity #PasswordManger #Bitwarden #LastPass #Dashlane
stfthis concludes my reading of https://eprint.iacr.org/2026/058
what a paper. warmly recommended to read.
#crypto #passwordmanagers #bitwarden #lastpass #dashlane
14/n
Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers
Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious. This threat model is justified in practice by the high sensitivity of vault data, which makes password manager servers an attractive target for breaches (as evidenced by a history of attacks). We examine the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge Encryption claim: Bitwarden, LastPass and Dashlane. Collectively, they have more than 60 million users and 23% market share. We present 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane. The attacks range in severity, from integrity violations of targeted user vaults to the complete compromise of all the vaults associated with an organisation. The majority of the attacks allow recovery of passwords. We have disclosed our findings to the vendors and remediation is underway. Our attacks showcase the importance of considering the malicious server threat model for cloud-based password managers. Despite vendors’ attempts to achieve security in this setting, we uncover several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities. We discuss possible mitigations and also reflect more broadly on what can be learned from our analysis by developers of end-to-end encrypted systems.
Erik C. ThauvinPassword managers don’t protect secrets if pwned. You probably can't trust your password manager if it's compromised.
.
#bitwarden #cryptography #dashlane #encryption #lastpass #password
Teddy / Domingo (🇨🇵/🇬🇧)Votre gestionnaire de #motsdepasse est peut-être plus vulnérable que vous ne le pensez.
Des chercheurs suisses viennent de démontrer qu’un serveur compromis pouvait manipuler la synchronisation de #Bitwarden, #Dashlane et #LastPass.
https://www.clubic.com/actualite-600880-votre-gestionnaire-de-mots-de-passe-est-peut-etre-plus-vulnerable-que-vous-ne-le-pensez.html
Zero Knowledge : une étude pointe les carences de Bitwarden, LastPass et Dashlane
https://next.ink/224992/zero-knowledge-une-etude-pointe-les-carences-de-bitwarden-lastpass-et-dashlane/
Votre gestionnaire de mots de passe est peut-être plus vulnérable que vous ne le pensez
Zero-knowledge, vraiment ? Des chercheurs suisses viennent de démontrer qu’un serveur compromis pouvait manipuler la synchronisation de Bitwarden, Dashlane et LastPass, jusqu’à altérer des entrées. Théorique, mais assez critique pour pousser les éditeurs à prendre des mesures.
momoThis paper is worth a read:
Security of cloud based password managers:
Paper:
- https://eprint.iacr.org/2026/058
German news article:
- https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html
#ethz #bitwarden #lastpass #dashlane #passwords #zeroknowledge #security
Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers
Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious. This threat model is justified in practice by the high sensitivity of vault data, which makes password manager servers an attractive target for breaches (as evidenced by a history of attacks). We examine the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge Encryption claim: Bitwarden, LastPass and Dashlane. Collectively, they have more than 60 million users and 23% market share. We present 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane. The attacks range in severity, from integrity violations of targeted user vaults to the complete compromise of all the vaults associated with an organisation. The majority of the attacks allow recovery of passwords. We have disclosed our findings to the vendors and remediation is underway. Our attacks showcase the importance of considering the malicious server threat model for cloud-based password managers. Despite vendors’ attempts to achieve security in this setting, we uncover several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities. We discuss possible mitigations and also reflect more broadly on what can be learned from our analysis by developers of end-to-end encrypted systems.
Will 
Heads up! ETH Zurich study shows multiple cloud-based password managers, including #Bitwarden, #Dashlane, and #LastPass, are susceptible to password recovery attacks under certain conditions. https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html
Research Network Digi-Oek.ch[en] Serious security vulnerabilities in cloud-based password managers : #Bitwarden, #Lastpass, #Dashlane
The research team of Prof. Paterson found cryptographic technologies from the 90s. "We were surprised by the severity of the security vulnerabilities".
In most cases, the researchers were able to gain access to the passwords – and even make changes to them.
Aside from this research paper, recommended password managers often include #KeePassXC and/or #KeePassDX for Android or #KeePassium for iOS. Also, it's usually a good idea to store only accounts and passwords that are really necessary on the go, especially on mobile devices.
#password #passwordmanager #cloudbased #security #ictsecurity #securityvulnerability #ethz
[de] Cloudbasierte Passwortmanager mit gravierenden Sicherheitslücken: #Bitwarden, #Lastpass, #Dashlane
Vernichtende Feststellung: "kryptographische Technologien aus den 90er-Jahren". Dem Team um Prof. Paterson war es offenbar recht einfach möglich, "Zugang zu den Passwörtern verschaffen – und diese sogar [zu] manipulieren".
Ausserhalb dieses Berichts wird u. a. oft #KeePassXC und/oder #KeePassDX für Android oder #KeePassium für iOS empfohlen mit der zusätzlichen Empfehlung, gerade auf mobilen Geräten nur diejenigen Konti/Passwörter zu speichern, die unterwegs wirklich dabei sein müssen.
#passwort #passwortmanager #cloudbasiert #sicherheit #ictsicherheit #sicherheitsluecken #ethz
