New Security Analysis of Online Password Managers

  • DNS Benchmark v2 is Finished and Available!
    Guest:
    That's right. It took an entire year, but the result far more accurate and feature laden than we originally planned. The world now has a universal, multi-protocol, super-accurate, DNS resolver performance-measuring tool. This major second version is not free. But the deal is, purchase it once for $9.95 and you own it — and it's entire future — without ever being asked to pay anything more. For an overview list of features and more, please see The DNS Benchmark page at GRC. If you decide to make it your own, thanks in advance. It's a piece of work I'm proud to offer for sale. And if you should have any questions, many of the people who have been using and testing it throughout the past year often hang out here.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

I

idubrawsky

New member
Feb 20, 2026
4
1
This is my first post to the forums and I'm interested in getting others thoughts on this recently released work by ETH Zurich on the security of online password managers:

https://ethz.ch/en/news-and-events/...less-secure-than-promised.html#comment-system

I've seen a couple of additional articles about this in Arstechnica as well as HackerNews:

https://thehackernews.com/2026/02/study-uncovers-25-password-recovery.html

https://arstechnica.com/security/20...ts-isnt-always-true/?comments-page=1#comments

The paper itself is available here: https://eprint.iacr.org/2026/058

It's interesting - I haven't read the full paper yet (that's this weekend's task), but I have started to look through BitWarden's response. Bottom line - the case they use is where a malicious attacker has control of the backend server. To me, this is one of those sort of cases of "if an attacker has control of your server, it's no longer *your* server" - but with a bit of a twist. The responses I've been seeing in my LinkedIn news feeds from other security industry players centers mostly on "that's why I don't use online password managers" and Arstechnica's comments usually just say something along the lines of "I use KeePass only and Syncthing to sync it up if I need it elsewhere."

Obviously it all comes down to two things: your use cases and the level of risk you're willing to accept. I personally use BitWarden but combine it with MFA on every possible website that provides it. It's all about layered security. But I find it so odd that a lot of security industry folks I know seem to look down at these things and deride them on an instinctual basis rather than what should be a more rational approach.

Am I missing something?
 
  • Like
Reactions: jona
idubrawsky said:
combine it with MFA on every possible website that provides it
Click to expand...
I'm presuming you don't store the MFA also in BitWarden then? (Cause that wouldn't otherwise get you much.)

One thing you should consider: If the password manager offers any "Web" component, it's highly likely that they have access to your data in a decrypted fashion, or they couldn't offer the web feature. If you want true trust no one, then the only device that can see the plaintext is your device.
 
I read the Ars Technica article, but I'm no expert and some of it was over my head. That said, my impression from the article is they were making a mountain out of a molehill. Is there a potential vulnerability? Okay, yeah, the researchers seem to have found something. But how likely is it that may affect you?

From my reading it seems like a number of things must happen for you to be compromised. In one scenario, a hacker must gain control of Bitwarden's back end server and your vault must be in the process of adding a new user to a shared "collection". How likely is it that both of those will occur at the same time? In another scenario, your vault is vulnerable during the brief period of a vault recovery operation following a lost password. How often does that happen, and at the same time that a hacker might have control of BW's server? And what if you don't use password recovery? (I don't. I exported a local copy of my vault and will just start completely over if I ever lose my master password. I'm not arguing that's more secure, but it's simple to understand.)

I'm likely misunderstanding some of the details, but it still feels to me like a very small window of vulnerability.

And no plan is foolproof, anyway. If you eschew online managers, you could still be compromised if you have your KeePass vault open and a burglar breaks in and conks you over the head and exports your vault.

Don't think that's likely to happen? Yeah, probably not. But why, then, shouldn't we afford these newly discovered issues the same kind of risk/benefit evaluation?

I previously tried to get others in my family to use KeePass, but after five years of trying I was still the only one using it. I switched to Bitwarden, and now have five people in my family using it. And after all, the best password manager is the one that will actually get used. Vulnerable or not, I'll take Bitwarden over nothing at all, which is what my family used to use.

Still, the new report is good to know about and I applaud the researchers, but I trust the companies will soon come up with mitigations. Meanwhile, my hair's not on fire.
 
  • Like
Reactions: tadpole256, Darcon and sttngs1
The biggest risk to anyone is probably becoming a target of a law enforcement probe where the password vault provider is secretly compelled to aid the law enforcement agency by putting something targeted into their code. If that happened, in all likelihood you would be fully compromised.
 
  • Like
Reactions: tadpole256
PHolder said:
I'm presuming you don't store the MFA also in BitWarden then? (Cause that wouldn't otherwise get you much.)

One thing you should consider: If the password manager offers any "Web" component, it's highly likely that they have access to your data in a decrypted fashion, or they couldn't offer the web feature. If you want true trust no one, then the only device that can see the plaintext is your device.
Click to expand...
I definitely do not store the MFA in BitWarden as well. I’ve always been a believer in keeping that separate.
 
dg1261 said:
I read the Ars Technica article, but I'm no expert and some of it was over my head. That said, my impression from the article is they were making a mountain out of a molehill. Is there a potential vulnerability? Okay, yeah, the researchers seem to have found something. But how likely is it that may affect you?

From my reading it seems like a number of things must happen for you to be compromised. In one scenario, a hacker must gain control of Bitwarden's back end server and your vault must be in the process of adding a new user to a shared "collection". How likely is it that both of those will occur at the same time? In another scenario, your vault is vulnerable during the brief period of a vault recovery operation following a lost password. How often does that happen, and at the same time that a hacker might have control of BW's server? And what if you don't use password recovery? (I don't. I exported a local copy of my vault and will just start completely over if I ever lose my master password. I'm not arguing that's more secure, but it's simple to understand.)

I'm likely misunderstanding some of the details, but it still feels to me like a very small window of vulnerability.

And no plan is foolproof, anyway. If you eschew online managers, you could still be compromised if you have your KeePass vault open and a burglar breaks in and conks you over the head and exports your vault.

Don't think that's likely to happen? Yeah, probably not. But why, then, shouldn't we afford these newly discovered issues the same kind of risk/benefit evaluation?

I previously tried to get others in my family to use KeePass, but after five years of trying I was still the only one using it. I switched to Bitwarden, and now have five people in my family using it. And after all, the best password manager is the one that will actually get used. Vulnerable or not, I'll take Bitwarden over nothing at all, which is what my family used to use.

Still, the new report is good to know about and I applaud the researchers, but I trust the companies will soon come up with mitigations. Meanwhile, my hair's not on fire.
Click to expand...
I’m still in the middle of reading the ETH paper that is the backbone of the Arstechnica and HackerNews articles. Like you, I found the Arstechnica and HackerNews articles to be a bit overstated (and now reading the ETH paper, I think that is confirming my initial impression). I will post my synopsis of the paper here later next week.

Like you, I couldn’t get anyone in my family to use KeePass in the past. I now pay for a family subscription to BitWarden and I’ve gotten two of my kids to use it and I’m working on the third. My wife adamantly refuses to use it - she prefers pen and paper (that’s a whole ‘nother story though).
 
PHolder said:
The biggest risk to anyone is probably becoming a target of a law enforcement probe where the password vault provider is secretly compelled to aid the law enforcement agency by putting something targeted into their code. If that happened, in all likelihood you would be fully compromised.
Click to expand...
True - that is one possible scenario I hadn’t actually considered. But it definitely could be one. And interestingly, it may not have to be a law enforcement organization based here in the US (although I’m not sure how BitWarden has architected their service - I would suspect that they have the service in an AWS (or Azure or some other type of cloud) environment in the EU to ensure they’re complaint with GDPR and not putting EU citizen’s information in a US based environment.
 
You must log in or register to reply here.

Similar threads

H
Security Now - #1019 - re Password stuffing - Microsoft
Replies
1
Views
910
Security Now Podcast
miquelfire
miquelfire
L
Microsoft's new-ish Authentication for login (ready for spamming?)
Replies
4
Views
533
Security Now Podcast
lmcarmona
L
P
Are TPM chips really a security threat?
Replies
11
Views
2K
Security Now Podcast
GreenWine
GreenWine
D
Picture of the week
Replies
0
Views
431
Security Now Podcast
dusanmal
D
mainmeister
yt-dlp to download all security now podcasts
Replies
3
Views
2K
Security Now Podcast
tadpole256
T
Top Bottom
Back