this post was submitted on 17 Feb 2026
254 points (89.9% liked)

Technology

81451 readers
4531 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 2 years ago
MODERATORS
 
  • Millions of people use password managers. They make accessing online services and bank accounts easy and simplify credit card payments.
  • Many providers promise absolute security – the data is said to be so encrypted that even the providers themselves cannot access it.
  • However, researchers from ETH Zurich have shown that it is possible for hackers to view and even change passwords.
top 50 comments
sorted by: hot top controversial new old
[–] scarabic@lemmy.world 8 points 10 hours ago

Many providers promise absolute security

This struck me as wrong, because that would be a technically impossible and liability-inviting thing to promise.

And after checking the homepages of the 3 services they tested, yep, none of them promise “absolute security.”

[–] HubertManne@piefed.social 2 points 9 hours ago

I use local for important stuff (financial) and online ones for things that are not to important.

[–] OnfireNFS@lemmy.world 8 points 13 hours ago (1 children)

Would having a synced Keepass database with a composite key protect against this?

When I made my database I created a composite key file that never goes online. I locally copy it to any device that needs to access the database. The idea was even if the password got compromised you can't access the database without the key file

[–] nroth@lemmy.world 3 points 9 hours ago (1 children)

What if you have a house fire and lose all devices with the key

[–] echodot@feddit.uk 2 points 5 hours ago

What if there's a nuclear war end the house gets vaporized?

To protect against this scenario I have this small portable computer that I keep in my pocket. They're quite popular these days.

[–] kepix@lemmy.world 11 points 15 hours ago

i really wasnt expecting a password manager related tech fearmongering on lemmy today

[–] SparroHawc@lemmy.zip 10 points 16 hours ago (1 children)

Don't store your stuff in the cloud unless you don't mind someone else accessing it.

If you store things in the cloud that you don't want other people to access, you better be encrypting it yourself and only opening it locally.

This has been a cardinal rule since day 1.

[–] echodot@feddit.uk 1 points 5 hours ago

I don't want people to access my files but I wouldn't really care if they did. I don't understand people who keep things like compromising photos of themselves online, who's benefit is that for, and why do you need quick access to your nudies?

[–] Appoxo@lemmy.dbzer0.com 9 points 18 hours ago* (last edited 14 hours ago) (1 children)

“We want our work to help bring about change in this industry,” says Paterson. “The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer.”  

Great.
Now which password vault was the most cooperative and clear in their security communication and which one wasnt?
The author said that they have given the providers time to fix the issues. Now highlight the ones that did it the best.... >_>

[–] olympicyes@lemmy.world 5 points 17 hours ago* (last edited 17 hours ago) (2 children)

They did gove some advice. They said to go with a vendor that is transparent about problems and reveals the results of their third party security audits. I’m sure if you read between the lines it means they likely reviewed several vendors and chose to spend their time attacking ones that are opaque about their security stance and used outdated encryption or bad implementations of E2E encryption. So all three are likely suspect. Like if 1Password were developed similarly to LastPass wouldn’t they have spent time attacking it?

Edit: https://support.1password.com/security-assessments/

1Password are posting the results of their external pen testing now.

[–] jjlinux@lemmy.zip 3 points 14 hours ago

About 1password publishing their pentesting results. Why put it behind a 'give me your email address' wall?

That alone is enough for me to instantly disregard them as an option.

[–] Appoxo@lemmy.dbzer0.com 2 points 17 hours ago

Bitwarden did so too.

But IMO your assumption is a bit of interpreting bad/malicious faith into it.
I see it more like they are the more publicly known brands/services that do this and underwent the audit.
I have read the TLDR by the authors (linked a few times in the comments) and the answer by bitwarden.
Bitwarden said the, fixed the issue, are in the progress of doing it or are accepting it as "this is intended/a trade-off".
What is a bit sad is that they had more vulnerabilities than other vendors. But I trust them more as they are mostly OSS.

[–] myfunnyaccountname@lemmy.zip 11 points 22 hours ago (2 children)

With pretty much every major company being hacked at some point, credit card companies being hacked, everyone selling our details and data, doge and palantir. Feels like post it notes under the keyboard isn’t that bad of an idea.

[–] SocialMediaRefugee@lemmy.world 6 points 16 hours ago (1 children)

If someone breaks into my house to read them I have big problems already.

[–] myfunnyaccountname@lemmy.zip 3 points 14 hours ago (1 children)

You have no idea how many times I’ve made that exact statement.

[–] whelk@retrolemmy.com 1 points 7 hours ago

Let's start a club

[–] 1995ToyotaCorolla@lemmy.world 2 points 16 hours ago

Post its have their problems but at least they can’t be read half a globe away

[–] Etterra@discuss.online 4 points 19 hours ago (1 children)

That's why mine is a physical book.

[–] bitflip@lemmy.dbzer0.com 6 points 14 hours ago (1 children)

Really depends on your threat model whether this is a good idea. If cops raiding your home is part of it, a physical book might not be your best bet.

[–] echodot@feddit.uk 1 points 5 hours ago

If you're at the point where that's a possibility that you need to defend against then you probably already have better security than using a password manager.

[–] eatsnutellawivaspoon@feddit.uk 6 points 23 hours ago (3 children)

I use one of the password managers mentioned in the article, purely for the convenience of apps on all my devices, syncing and complex individual passwords. Should I be looking to move to self hosting something instead? Would my host (likely a synology Nas or raspberry pi) not then have the same risks?

[–] cevn@lemmy.world 4 points 17 hours ago (1 children)

I self host via vault warden. And I have it locked behind tailscale vpn. Aside from your server itself getting hacked, which is a risk, this is more secure than having passwords on the public internet.

[–] eatsnutellawivaspoon@feddit.uk 2 points 16 hours ago (1 children)

I host a pi hole via diet pi already, vault warden is packaged for diet pi already, project for the weekend!

[–] cevn@lemmy.world 2 points 16 hours ago (1 children)

Love the raspis, just make sure the passwords are not stored on the sd card because those fail all the time hah.

[–] eatsnutellawivaspoon@feddit.uk 1 points 16 hours ago

Good shout! Easy to mount a folder from my Nas on it though

[–] cmhe@lemmy.world 3 points 17 hours ago* (last edited 17 hours ago)

Security through layers. The flaws found here are about compromised server, so hosting your own server is a good first step. Next step is making the server only accessible via your own VPN. And of course hardening the server.

[–] iglou@programming.dev 4 points 22 hours ago (1 children)

I believe Proton Pass does not have the design flaws shown in the article. For instance, if you lose your password, you lose your data. Your data is encrypted and decrypted on your device.

[–] cmhe@lemmy.world 3 points 17 hours ago* (last edited 17 hours ago)

This is what all the listed password manager claim.

What was done here was tricking the client through the server to do things. So the fixes went into the client application.

[–] HertzDentalBar@lemmy.blahaj.zone 1 points 16 hours ago

I'm slowly moving over to my own manager, I'm still struggling to get it to all work properly on all my devices though.

[–] hal_5700X@sh.itjust.works 34 points 1 day ago (2 children)

Use a offline password manager. Problem solved.

[–] Evotech@lemmy.world 14 points 23 hours ago (4 children)

Solves the security issue. Destroys the accessibility part

[–] GentlePulpy@lemmy.dbzer0.com 2 points 12 hours ago

Just use Syncthing with your trusted host

[–] Eezyville@sh.itjust.works 3 points 16 hours ago

I just sync it using my Nextcloud instance. No issues.

[–] sztosz@lemmy.dbzer0.com 3 points 19 hours ago

I use an offline password manager, and sync an encrypted database with nextcloud. It's convenient enough, and secure enough for me. Easy to sync between my phone, desktop, and laptop. And I only need to remember two passwords, the nextcloud one, and the manager one. I don't think you can have it more secure and convenient all the same, at least not with current tech.

[–] Zetta@mander.xyz 1 points 15 hours ago

Bitwarden with a vaultwarden docker container on my home server. Access over a VPS.

[–] RemADeus@thelemmy.club 7 points 23 hours ago

Many will argue that they need the convenience of an online password manager not knowing that what you stated is the safest form

[–] Sir_Kevin@lemmy.dbzer0.com 30 points 1 day ago (1 children)

I pitty the fool that stores anything important on ~~the cloud~~ somebody elses computer.

load more comments (1 replies)
load more comments
view more: next ›