Privacy GuidesFeb 19

🚨 New research from ETH Zurich has found that popular password manager's zero-knowledge encryption claims don't fully hold up if their servers are compromised. ⚠️

🔑 LastPass, Dashlane & Bitwarden were identified as being affected, this is significant because cloud password managers commonly claim that their user's data would be unaffected if they were compromised. 👾

#privacy #security #passwordmanager

https://www.theregister.com/2026/02/16/password_managers/

You probably can't trust your password manager if it's compromised

: Researchers demo weaknesses affecting some of the most popular options

The Register
Show threadPrivacy GuidesFeb 19

✅ Dashlane & Bitwarden promptly issued fixes.

❌ LastPass did not issue a fix and stated: "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zürich team."

💡In 2022, LastPass experienced a breach that impacted 1.6 million users due to inadequately strong technical and security measures within their infrastructure.

The best time to switch from LastPass was yesterday; the second best is today. 🗑️

Here's what we recommend ⬇️

#lastpass #security

Show threadCassandrich
@privacyguides This sounds like the kind of thing that cannot just be "fixed". As far as I can tell, *all three were lying* about their servers being dumb storage without access to your secrets. This is a problem of vendor integrity not a technical problem.
Feb 19 at 1:50pmWeb
Show threadArturFeb 19
@dalias @privacyguides Self-host, some things are better of self hosted. And a password manager is one of them. And better without any internet access, your devices can sync when they are on your local network.
Show threadCassandrichFeb 19
@h0m3 @privacyguides It doesn't even need self-hosting. It just needs the storage backend to be a pure content-agnostic storage backend for opaque encrypted data, not having some control channel interaction that puts the vendor in a privileged position and locks you in to using their cloud infrastructure.