Mastodawn

Privacy Guides Feb 19

🚨 New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised. ⚠️

🔑 LastPass, Dashlane & Bitwarden were identified as being affected, this is significant because cloud password managers commonly claim that their user's data would be unaffected if they were compromised. 👾

#privacy #security #passwordmanager

https://www.theregister.com/2026/02/16/password_managers/

You probably can't trust your password manager if it's compromised

: Researchers demo weaknesses affecting some of the most popular options

The Register

✅ Dashlane & Bitwarden promptly issued fixes.

❌ LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zürich team."

💡In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.

The best time to switch from LastPass was yesterday; the second best is today. 🗑️

Here's what we recommend ⬇️

#lastpass #security

Privacy Guides Feb 19

☁️ Secure cloud password managers

➡️ For more info visit our site: https://www.privacyguides.org/en/passwords/#cloud-based

#passwordmanager #security #privacyguides

Privacy Guides Feb 19

📍 Secure local password managers

➡️ For more info visit our site: https://www.privacyguides.org/en/passwords/#local-storage

#passwordmanager #security #privacyguides

@privacyguides keep assium

@privacyguides what do you recommend for self-hosting a password manager?

Privacy Guides Feb 24

KeePassXC would be our recommendation for an offline password manager. You can see all our recommendations here: https://www.privacyguides.org/en/passwords/#local-storage

The Best Password Managers to Protect Your Privacy and Security - Privacy Guides

Password managers allow you to securely store and manage passwords and other credentials.

Privacy Guides

Chuckles Feb 27

@privacyguides all encryption fails eventually, so placing credentials and other critical personally identifiable information "in the cloud" cannot be made 'secure', *even when encrypted*.

🐈‍⬛David Sommerseth Feb 19

@privacyguides A better name for LastPass is LostPass

Cassandrich Feb 19

@privacyguides This sounds like the kind of thing that cannot just be "fixed". As far as I can tell, *all three were lying* about their servers being dumb storage without access to your secrets. This is a problem of vendor integrity not a technical problem.

@dalias @privacyguides Self-host, some things are better of self hosted. And a password manager is one of them. And better without any internet access, your devices can sync when they are on your local network.

Cassandrich Feb 19

@h0m3 @privacyguides It doesn't even need self-hosting. It just needs the storage backend to be a pure content-agnostic storage backend for opaque encrypted data, not having some control channel interaction that puts the vendor in a privileged position and locks you in to using their cloud infrastructure.

Papa Exmatrikulatus 🏴🏳️‍🌈Feb 19

@privacyguides
Do you have another source for Bitwarden havin fixed the issues? If i am not mistaking, i can't see where they say something explicit about Bitwarden fixing these issues in the linked article.

@Papaexmatrikulatus @privacyguides

https://bitwarden.com/blog/security-through-transparency-eth-zurich-audits-bitwarden-cryptography/

Security through transparency: ETH Zurich audits Bitwarden cryptography against malicious server scenarios | Bitwarden

A new in-depth security report is available, continuing the Bitwarden commitment to transparency and trusted open source security. The audit, conducted by the prestigious Applied Cryptography Group at ETH Zurich, proactively tested Bitwarden core cryptography operations against the hypothetical event of a maliciously compromised server. All issues identified in the report have been addressed by the Bitwarden team and have been included in the attached cryptography report for full transparency.

Bitwarden

Papa Exmatrikulatus 🏴🏳️‍🌈Feb 19

@timisch @privacyguides Thank you!

@privacyguides
Lastpass is an absolutely AWFUL company.

After LogMeIn got their hands on them the prices skyrocketed from $12 to $24 to $36 to $48 a year for their premium plan.

I switched to Bitwarden, who have kept their premium plan at just $10 a year, for many years now.

With ownership of Lastpass now in the hands of not one, but two investment companies, one really has to question where Lastpass's priorities lie.