momo4d ago

This paper is worth a read:

Security of cloud based password managers:

Paper:
- https://eprint.iacr.org/2026/058

German news article:
- https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html

#ethz #bitwarden #lastpass #dashlane #passwords #zeroknowledge #security

Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers

Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious. This threat model is justified in practice by the high sensitivity of vault data, which makes password manager servers an attractive target for breaches (as evidenced by a history of attacks). We examine the extent to which security against a fully malicious server holds true for three leading vendors who make the Zero Knowledge Encryption claim: Bitwarden, LastPass and Dashlane. Collectively, they have more than 60 million users and 23% market share. We present 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane. The attacks range in severity, from integrity violations of targeted user vaults to the complete compromise of all the vaults associated with an organisation. The majority of the attacks allow recovery of passwords. We have disclosed our findings to the vendors and remediation is underway. Our attacks showcase the importance of considering the malicious server threat model for cloud-based password managers. Despite vendors’ attempts to achieve security in this setting, we uncover several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities. We discuss possible mitigations and also reflect more broadly on what can be learned from our analysis by developers of end-to-end encrypted systems.

IACR Cryptology ePrint Archive
Research Network Digi-Oek.ch4d ago

[en] Serious security vulnerabilities in cloud-based password managers : #Bitwarden, #Lastpass, #Dashlane

The research team of Prof. Paterson found cryptographic technologies from the 90s. "We were surprised by the severity of the security vulnerabilities".

In most cases, the researchers were able to gain access to the passwords – and even make changes to them.

https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html

Aside from this research paper, recommended password managers often include #KeePassXC and/or #KeePassDX for Android or #KeePassium for iOS. Also, it's usually a good idea to store only accounts and passwords that are really necessary on the go, especially on mobile devices.

#password #passwordmanager #cloudbased #security #ictsecurity #securityvulnerability #ethz

Password managers less secure than promised

Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords. 

ETH Zurich
Research Network Digi-Oek.ch4d ago

[de] Cloudbasierte Passwortmanager mit gravierenden Sicherheitslücken: #Bitwarden, #Lastpass, #Dashlane

Vernichtende Feststellung: "kryptographische Technologien aus den 90er-Jahren". Dem Team um Prof. Paterson war es offenbar recht einfach möglich, "Zugang zu den Passwörtern verschaffen – und diese sogar [zu] manipulieren".

https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html

Ausserhalb dieses Berichts wird u. a. oft #KeePassXC und/oder #KeePassDX für Android oder #KeePassium für iOS empfohlen mit der zusätzlichen Empfehlung, gerade auf mobilen Geräten nur diejenigen Konti/Passwörter zu speichern, die unterwegs wirklich dabei sein müssen.

#passwort #passwortmanager #cloudbasiert #sicherheit #ictsicherheit #sicherheitsluecken #ethz

Passwortmanager bieten weniger Schutz als versprochen

Forschende der ETH Zürich haben bei drei populären, cloudbasierten Passwortmanagern gravierende Sicherheitslücken entdeckt. In Tests konnten sie gespeicherte Passwörter einsehen und sogar verändern. 

ETH Zürich
Dorian Santner 🇦🇹5d ago

Vorsicht bei Passwortmanagern!

Eiskalt erwischt hat es gerade #Bitwarden, #Lastpass und #Dashlane - mit gemeinsam immerhin 23% Marktanteil.

#ethz #sicherheit

https://ethz.ch/de/news-und-veranstaltungen/eth-news/news/2026/02/passwortmanager-bieten-weniger-schutz-als-versprochen.html

Passwortmanager bieten weniger Schutz als versprochen

Forschende der ETH Zürich haben bei drei populären, cloudbasierten Passwortmanagern gravierende Sicherheitslücken entdeckt. In Tests konnten sie gespeicherte Passwörter einsehen und sogar verändern. 

ETH Zürich
Oliver AmmannFeb 4

Eine spannende Praktikumsstelle für Studierende der #Informationswissenschaften bei meinen Kolleg:innen an der ETH-Bibliothek #Zürich

https://www.jobs.ethz.ch/job/view/JOPG_ethz_MPMNktgEr6TSvG7GrC

#bibliothek #provenienzforschung #altedrucke #karten #informationscience #ethz #ethbibliothek

Praktikant:in für die Gruppe Rara und Karten (m/w/d)

Oliver AmmannJan 14

Meine Empfehlung für die #Ausstellung "Max Frischs «#Stiller» – vom Roman zum Film" im Max #Frisch-Archiv der #ethbibliothek!

https://ethz.ch/staffnet/en/news-and-events/events/details.max-frischs-stiller-vom-roman-zum-film.75746.html

#zürich #ethz #ethzürich #maxfrisch #literatur #verfilmung

Oliver AmmannJan 9

Kleiner Rundgang durch den Süd-Ost-Trakt des #ETH-Hauptgebäudes: #Wandgemälde "Chemische Fabrik vormals Sandoz #Basel", "Maschinenfabrik #Oerlikon Halle für Grossmaschinen" und der Touristenmagnet #Einstein-Spind

#ethz #zürich #ethzürich #painting #rhein

sayzardJan 7

Lukas Ziegler (@lukas_m_ziegler)

ETH Zürich 연구진이 'Heap'이라 불리는 자율 굴착기 시스템을 사용해 길이 65m, 높이 6m의 건조 석벽을 자율적으로 쌓는 데 성공했다는 연구 소식입니다. 시스템은 먼저 정밀 스캔을 수행한 후 돌을 정확히 배치해 자율 건설 로보틱스의 실현 가능성을 입증했습니다.

https://x.com/lukas_m_ziegler/status/2008896613977071632

#robotics #autonomy #construction #ethz

Lukas Ziegler (@lukas_m_ziegler) on X

Autonomous excavator building a wall! 🪨 This will blow your mind! 🤯 Researchers from ETH Zürich have used an autonomous excavator to build a 65-meter-long, six-meter-high dry-stone wall. The autonomous system, called "Heap," precisely firstly scanned and then placed stones,

X (formerly Twitter)
VelospinnerDec 7

Reto Knutti - Wanderprediger der Wissenschaft - zum Thema Klimawandel: wir haben aktuell ein Umsetzungsproblem, kein Technologieproblem, um auf den Klimawandel zu reagieren.

#nano #sciencedate #ethz #blatten

https://www.3sat.de/wissen/science-dates/251202-science-date-ingolf-baur-im-gespraech-mit-reto-knutti-nano-108.html#autoplay=true

Blatten als Weckruf: Reto Knutti über die Gefahren des Klimawandels | NANO Science Date

Das, was in der Vergangenheit sicher war, ist vielleicht morgen nicht mehr sicher, so Reto Knutti. Das Bergdorf Blatten ist der traurige Beweis. Ingolf Baur hat den Klimaforscher getroffen.

3sat
Show threadMadMike77Nov 25

@jamesb @0x47df I've visited once the Cray at the ETH-Zürich here in Switzerland.

#ethz #switzerland