π€―
this post was submitted on 16 Feb 2026
245 points (91.2% liked)
Technology
81376 readers
5759 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
And this is why I always thought a password manager is a bad idea.
Centralizing your passwords means there is one really juicy target, that if compromised, ruins everything.
It's clearly a risk, but if you have dozens of accounts and passwords it's hard to come up with a feasible alternative.
my solution is to make variants of my usual password that are so different I end up having to reset my passwords constantly. Lately, I've taken to writing my passwords on a piece of paper in my house, which means I can choose more unique ones
If the entire supply chain up to the software you're running to perform actual decryption is compromised, then the decrypted data is vulnerable. I mean, yeah? That's why we use open-source clients and check builds/use builds from separate source, so that the compromission of one actor does not compromise the whole chain. Server (if any) is managed by one entity and only manage access control + encrypted data, client from separate trusted source manage decryption, and the general safety of your whole system remain your responsibility.
Security requires a modicum of awareness and implication from the users, always. The only news here is that people apparently never consider supply chain attacks up until now?
Use keepass... don't use your phone for important stuff. I never get calls or texts. I have no friends.
I'll be honest, password managers are like the holy grail of desirable to breech. If you're using one it will be constantly under attack. It being breeched or vulnerable shouldn't be a surprise. There isn't really a secure way to store large amounts of passwords that doesn't have some vulnerability issues.
breech
breach, right?
That's why I liked password store, no servers, just my encrypted password files on my own computer, that I sync over to my other devices.
Apparently it's dying soon through, so I need an alternative.
I was enjoying 1Password until they went completely subscription, so I switched to Strongbox (based on Keepass) and it's been pretty good. DB stored locally and I use my own tools to sync that vault to my other devices.
i use keepassxc for the offline database part, and syncthing to sync it (among other things) between all my devices
JFC this headline. BREAKING NEWS: Healthy people die off an old age.
Password managers are supposed to be designed to resist a situation where they're compromised, and are only ever supposed to see a mysterious blob of encrypted data without ever having access to any information that would help decrypt it. The headline's more like M1 Abrams Tanks Vulnerable to Small Arms Fire - it'd be totally expected that most things die when shot with bullets, but the point of a tank is that it doesn't, so it's a big deal if it does.
Things you should know: Your car won't drive after it's broken down.
I just write down password hints on a scrap of paper.
If you don't have to use your passwords from multiple locations, your hints are intelligible only to you, and you don't leave the paper anywhere too obvious, this isn't a bad solution.
Additional vendor responses by Bitwarden to put the remediations and threat models into perspective:
What a headline
No shit?
These password managers claim your passwords are secure, even if their servers get compromised, which is what is expected from a security standpoint. But that is apparently not the case.
You probably can't trust anything if it's compromised
Are you trying to say the front fell off?
That's not very typical
It wasnβt designed for the front to fall off, thatβs for sure!
Well, what sort of standards are these tools built to?
For the front to stay on!
Well the specific point here is that these companies claim that a server hack won't reveal your passwords since they're encrypted and decrypted on your local device so the server only sees the encrypted version. Apparently this isn't completely true.
At the point someone pulls off a valid MIM attack - which is basically a requirement here unless the whole BW/Vaultwarden server gets compromised- that is the least of someones problems. MIMs are incredibily hard these days.
Well if you decrypt the blob on the server they can see it.
There's something nice about the phrase "decrypt the blob."
Yeah, the title there really doesn't reflect the article text. It should be "you probably can't trust your password manager if the remote servers it uses are compromised".
load more comments
(1 replies)
load more comments
(6 replies)
Probably?
Since the summary doesn't say which three popular password managers:
As one of the most popular alternatives to Apple and Google's own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.
And glosses over what it claims are the two that dominate market (combined market share of 55%) which negates their headline, since it's likely the reader is using one of those two password managers.
load more comments
(4 replies)
Bitwarden says all issues have already been addressed.
https://bitwarden.com/blog/security-through-transparency-eth-zurich-audits-bitwarden-cryptography/
load more comments
(4 replies)
Bitwarden. Shit.
These attacks are more around the encryption and all require a fully malicious server. It sounds like Bitwarden is taking these seriously and personally I'd still strongly prefer it to any closed source solution where there could be many more unknown but undiscovered security concerns.
Using a local solution is always most secure, but imo you should first ask yourself if you trust your own security practices and whether you have sufficient hardware redundancy to be actually better. I managed to lose the private key to some Bitcoin about a decade ago due to trying to be clever with encryption and local redundant copies.
Further, with the prevalence of 2FA even if their server was somehow fully compromised as long as you use a different authenticator app than Bitwarden you're not at major risk anyways. With how poorly the average person manages their password security this hurdle alone is likely enough to stop all but attacks targeted specifically at you as an individual.
Just adding: Passkeys do migitate a lot of these issues as well.
Yeah I use MFA on anything that matters.
It means my authenticator is just riddled with items but it is what it is.
load more comments
(4 replies)
load more comments
(6 replies)
view more: next βΊ