Show threadstf15h ago

this concludes my reading of https://eprint.iacr.org/2026/058

what a paper. warmly recommended to read.

#crypto #passwordmanagers #bitwarden #lastpass #dashlane

14/n

Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers

Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious. This threat model is justified in practice by the high sensitivity of vault data, which makes password manager servers an attractive target for breaches (as evidenced by a history of attacks). We examine the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge Encryption claim: Bitwarden, LastPass and Dashlane. Collectively, they have more than 60 million users and 23% market share. We present 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane. The attacks range in severity, from integrity violations of targeted user vaults to the complete compromise of all the vaults associated with an organisation. The majority of the attacks allow recovery of passwords. We have disclosed our findings to the vendors and remediation is underway. Our attacks showcase the importance of considering the malicious server threat model for cloud-based password managers. Despite vendors’ attempts to achieve security in this setting, we uncover several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities. We discuss possible mitigations and also reflect more broadly on what can be learned from our analysis by developers of end-to-end encrypted systems.

IACR Cryptology ePrint Archive
Grub 16h ago

Uno studio condotto dai ricercatori di ETH Zürich getta un’ombra piuttosto inquietante sulla robustezza di questi tool.Hanno messo sotto la lente d’ingrandimento i tre servizi più noti ovvero #bitwarden #lastpass e #dashlane scoprendo che nessuno è immune a vulnerabilità e attacchi come vorrebbe far credere.L’Applied Cryptography Group ha dimostrato che in presenza di alcune falle nei server un malintenzionato potrebbe sottrarre i dati o addirittura alterarli

@sicurezza

https://www.punto-informatico.it/password-manager-meno-sicuri/

Password manager meno sicuri di quanto pensi, anche LastPass

Uno studio rivela gravi vulnerabilità nei password manager più utilizzati come Bitwarden e LastPass: potrebbero non essere così sicuri.

Punto Informatico
Erik C. Thauvin21h ago

Password managers don’t protect secrets if pwned. You probably can't trust your password manager if it's compromised.
.

#bitwarden #cryptography #dashlane #encryption #lastpass #password

https://www.theregister.com/2026/02/16/password_managers/

You probably can't trust your password manager if it's compromised

: Researchers demo weaknesses affecting some of the most popular options

The Register
Teddy / Domingo (🇨🇵/🇬🇧)1d ago

#zeroknowledge #vulnérabilité

Votre gestionnaire de #motsdepasse est peut-être plus vulnérable que vous ne le pensez.
Des chercheurs suisses viennent de démontrer qu’un serveur compromis pouvait manipuler la synchronisation de #Bitwarden, #Dashlane et #LastPass.
https://www.clubic.com/actualite-600880-votre-gestionnaire-de-mots-de-passe-est-peut-etre-plus-vulnerable-que-vous-ne-le-pensez.html

Zero Knowledge : une étude pointe les carences de Bitwarden, LastPass et Dashlane
https://next.ink/224992/zero-knowledge-une-etude-pointe-les-carences-de-bitwarden-lastpass-et-dashlane/

Votre gestionnaire de mots de passe est peut-être plus vulnérable que vous ne le pensez

Zero-knowledge, vraiment ? Des chercheurs suisses viennent de démontrer qu’un serveur compromis pouvait manipuler la synchronisation de Bitwarden, Dashlane et LastPass, jusqu’à altérer des entrées. Théorique, mais assez critique pour pousser les éditeurs à prendre des mesures.

clubic.com
momo1d ago

This paper is worth a read:

Security of cloud based password managers:

Paper:
- https://eprint.iacr.org/2026/058

German news article:
- https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html

#ethz #bitwarden #lastpass #dashlane #passwords #zeroknowledge #security

Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers

Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious. This threat model is justified in practice by the high sensitivity of vault data, which makes password manager servers an attractive target for breaches (as evidenced by a history of attacks). We examine the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge Encryption claim: Bitwarden, LastPass and Dashlane. Collectively, they have more than 60 million users and 23% market share. We present 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane. The attacks range in severity, from integrity violations of targeted user vaults to the complete compromise of all the vaults associated with an organisation. The majority of the attacks allow recovery of passwords. We have disclosed our findings to the vendors and remediation is underway. Our attacks showcase the importance of considering the malicious server threat model for cloud-based password managers. Despite vendors’ attempts to achieve security in this setting, we uncover several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities. We discuss possible mitigations and also reflect more broadly on what can be learned from our analysis by developers of end-to-end encrypted systems.

IACR Cryptology ePrint Archive
Will   1d ago
Heads up! ETH Zurich study shows multiple cloud-based password managers, including #Bitwarden, #Dashlane, and #LastPass, are susceptible to password recovery attacks under certain conditions. https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html
Password managers less secure than promised

Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords. 

ETH Zurich
Research Network Digi-Oek.ch1d ago

[en] Serious security vulnerabilities in cloud-based password managers : #Bitwarden, #Lastpass, #Dashlane

The research team of Prof. Paterson found cryptographic technologies from the 90s. "We were surprised by the severity of the security vulnerabilities".

In most cases, the researchers were able to gain access to the passwords – and even make changes to them.

https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html

Aside from this research paper, recommended password managers often include #KeePassXC and/or #KeePassDX for Android or #KeePassium for iOS. Also, it's usually a good idea to store only accounts and passwords that are really necessary on the go, especially on mobile devices.

#password #passwordmanager #cloudbased #security #ictsecurity #securityvulnerability #ethz

Password managers less secure than promised

Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords. 

ETH Zurich
Research Network Digi-Oek.ch1d ago

[de] Cloudbasierte Passwortmanager mit gravierenden Sicherheitslücken: #Bitwarden, #Lastpass, #Dashlane

Vernichtende Feststellung: "kryptographische Technologien aus den 90er-Jahren". Dem Team um Prof. Paterson war es offenbar recht einfach möglich, "Zugang zu den Passwörtern verschaffen – und diese sogar [zu] manipulieren".

https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html

Ausserhalb dieses Berichts wird u. a. oft #KeePassXC und/oder #KeePassDX für Android oder #KeePassium für iOS empfohlen mit der zusätzlichen Empfehlung, gerade auf mobilen Geräten nur diejenigen Konti/Passwörter zu speichern, die unterwegs wirklich dabei sein müssen.

#passwort #passwortmanager #cloudbasiert #sicherheit #ictsicherheit #sicherheitsluecken #ethz

Passwortmanager bieten weniger Schutz als versprochen

Forschende der ETH Zürich haben bei drei populären, cloudbasierten Passwortmanagern gravierende Sicherheitslücken entdeckt. In Tests konnten sie gespeicherte Passwörter einsehen und sogar verändern. 

ETH Zürich
Show threadKarl Voit  1d ago

@_DigitalWriter_ @chfkch @wrzlbrmpft Wenn wir von #E2E-Verschlüsselung sprechen, dann hat das nicht nur mit einer DB zu tun.

E2E beginnt beim Client & endet beim Client. Das betrifft also alles(!) dazwischen: Übertragung, Verarbeitung, Speicherung, ...

Insofern ein realistisches Angriffsszenario, gerade wenn es um Passwörter geht. Was ist denn noch sensibler als das?

Wir kennen auch die diverse Gesetzgebung, wo Betreiber von (US-)Services gezwungen werden, gegen die Interessen der Kund:innen zu agieren:
https://www.kuketz-blog.de/jenseits-der-grenzen-ueberblick-ueber-das-us-geheimdienstrecht/

Und dort werden dann die weltbesten staatlichen Hacker aktiv. Mit allen denkbaren technischen Mitteln.

Insofern: wer tatsächlich #Passwörter in eine #Cloud schickt (IMO wegen der Alternativen eine unnötig dumme Idee aber OK), der soll dann auch von einer funktionierenden E2E-Verschlüsselung ausgehen dürfen.

Alles andere ist sich ins die Tasche lügen. 🤷

Ad Cloud: https://karl-voit.at/cloud/

#Lastpass #1Pass #Bitwarden #Dashlane #Passwort #Passwortmanager

Jenseits der Grenzen: Überblick über das US-Geheimdienstrecht

US-Behörden haben zum Teil exzessive Zugriffsmöglichkeiten auf Daten bzw. Informationen, die sogar Grundrechte europäischer Bürger aushebeln können. Ein kurzer Überblick…

the REAL fradie 💚☕🥁💻🤎🏳️‍🌈 ANTIFA "Terrorist" AntiFIFA1d ago
Klingt erstmal beruhigend: #KeePass steht nicht auf der Liste (weil's vermutlich nicht getestet wurde). #Bitwarden, #Lastpass, #Dashlane

RE: https://bsky.app/profile/did:plc:y56e3uwbw6wh6oqyaecsboen/post/3mf2fclgprq2c