New Security Analysis of Online Password Managers

  • DNS Benchmark v2 Release 5 with Consultant License
    Guest:
    If you own any earlier release of our DNS Benchmark you may immediately download its release #5 replacement. Running an earlier release will detect the new release and help you upgrade.

    Although this release is cosmetic, appearance matters and affects ease of use. The biggest change, as seen in the image above, is that the DNS Benchmark now has a traditional Windows application menu to more fully expose its many features. This release is also "Consultant License Aware" and GRC will now issue a Consultant version when owners have previously purchased four "Personal Use" licenses. If you have previously purchased four DNSB licenses, or if you wish to upgrade your "Personal Use" license to Consultant, GRC's purchase process will direct you through that process.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

I

idubrawsky

New member
Feb 20, 2026
4
1
This is my first post to the forums and I'm interested in getting others thoughts on this recently released work by ETH Zurich on the security of online password managers:

https://ethz.ch/en/news-and-events/...less-secure-than-promised.html#comment-system

I've seen a couple of additional articles about this in Arstechnica as well as HackerNews:

https://thehackernews.com/2026/02/study-uncovers-25-password-recovery.html

https://arstechnica.com/security/20...ts-isnt-always-true/?comments-page=1#comments

The paper itself is available here: https://eprint.iacr.org/2026/058

It's interesting - I haven't read the full paper yet (that's this weekend's task), but I have started to look through BitWarden's response. Bottom line - the case they use is where a malicious attacker has control of the backend server. To me, this is one of those sort of cases of "if an attacker has control of your server, it's no longer *your* server" - but with a bit of a twist. The responses I've been seeing in my LinkedIn news feeds from other security industry players centers mostly on "that's why I don't use online password managers" and Arstechnica's comments usually just say something along the lines of "I use KeePass only and Syncthing to sync it up if I need it elsewhere."

Obviously it all comes down to two things: your use cases and the level of risk you're willing to accept. I personally use BitWarden but combine it with MFA on every possible website that provides it. It's all about layered security. But I find it so odd that a lot of security industry folks I know seem to look down at these things and deride them on an instinctual basis rather than what should be a more rational approach.

Am I missing something?
 
  • Like
Reactions: jona
idubrawsky said:
combine it with MFA on every possible website that provides it
Click to expand...
I'm presuming you don't store the MFA also in BitWarden then? (Cause that wouldn't otherwise get you much.)

One thing you should consider: If the password manager offers any "Web" component, it's highly likely that they have access to your data in a decrypted fashion, or they couldn't offer the web feature. If you want true trust no one, then the only device that can see the plaintext is your device.
 
I read the Ars Technica article, but I'm no expert and some of it was over my head. That said, my impression from the article is they were making a mountain out of a molehill. Is there a potential vulnerability? Okay, yeah, the researchers seem to have found something. But how likely is it that may affect you?

From my reading it seems like a number of things must happen for you to be compromised. In one scenario, a hacker must gain control of Bitwarden's back end server and your vault must be in the process of adding a new user to a shared "collection". How likely is it that both of those will occur at the same time? In another scenario, your vault is vulnerable during the brief period of a vault recovery operation following a lost password. How often does that happen, and at the same time that a hacker might have control of BW's server? And what if you don't use password recovery? (I don't. I exported a local copy of my vault and will just start completely over if I ever lose my master password. I'm not arguing that's more secure, but it's simple to understand.)

I'm likely misunderstanding some of the details, but it still feels to me like a very small window of vulnerability.

And no plan is foolproof, anyway. If you eschew online managers, you could still be compromised if you have your KeePass vault open and a burglar breaks in and conks you over the head and exports your vault.

Don't think that's likely to happen? Yeah, probably not. But why, then, shouldn't we afford these newly discovered issues the same kind of risk/benefit evaluation?

I previously tried to get others in my family to use KeePass, but after five years of trying I was still the only one using it. I switched to Bitwarden, and now have five people in my family using it. And after all, the best password manager is the one that will actually get used. Vulnerable or not, I'll take Bitwarden over nothing at all, which is what my family used to use.

Still, the new report is good to know about and I applaud the researchers, but I trust the companies will soon come up with mitigations. Meanwhile, my hair's not on fire.
 
  • Like
Reactions: tadpole256, Darcon and sttngs1
The biggest risk to anyone is probably becoming a target of a law enforcement probe where the password vault provider is secretly compelled to aid the law enforcement agency by putting something targeted into their code. If that happened, in all likelihood you would be fully compromised.
 
  • Like
Reactions: tadpole256
PHolder said:
I'm presuming you don't store the MFA also in BitWarden then? (Cause that wouldn't otherwise get you much.)

One thing you should consider: If the password manager offers any "Web" component, it's highly likely that they have access to your data in a decrypted fashion, or they couldn't offer the web feature. If you want true trust no one, then the only device that can see the plaintext is your device.
Click to expand...
I definitely do not store the MFA in BitWarden as well. I’ve always been a believer in keeping that separate.
 
dg1261 said:
I read the Ars Technica article, but I'm no expert and some of it was over my head. That said, my impression from the article is they were making a mountain out of a molehill. Is there a potential vulnerability? Okay, yeah, the researchers seem to have found something. But how likely is it that may affect you?

From my reading it seems like a number of things must happen for you to be compromised. In one scenario, a hacker must gain control of Bitwarden's back end server and your vault must be in the process of adding a new user to a shared "collection". How likely is it that both of those will occur at the same time? In another scenario, your vault is vulnerable during the brief period of a vault recovery operation following a lost password. How often does that happen, and at the same time that a hacker might have control of BW's server? And what if you don't use password recovery? (I don't. I exported a local copy of my vault and will just start completely over if I ever lose my master password. I'm not arguing that's more secure, but it's simple to understand.)

I'm likely misunderstanding some of the details, but it still feels to me like a very small window of vulnerability.

And no plan is foolproof, anyway. If you eschew online managers, you could still be compromised if you have your KeePass vault open and a burglar breaks in and conks you over the head and exports your vault.

Don't think that's likely to happen? Yeah, probably not. But why, then, shouldn't we afford these newly discovered issues the same kind of risk/benefit evaluation?

I previously tried to get others in my family to use KeePass, but after five years of trying I was still the only one using it. I switched to Bitwarden, and now have five people in my family using it. And after all, the best password manager is the one that will actually get used. Vulnerable or not, I'll take Bitwarden over nothing at all, which is what my family used to use.

Still, the new report is good to know about and I applaud the researchers, but I trust the companies will soon come up with mitigations. Meanwhile, my hair's not on fire.
Click to expand...
I’m still in the middle of reading the ETH paper that is the backbone of the Arstechnica and HackerNews articles. Like you, I found the Arstechnica and HackerNews articles to be a bit overstated (and now reading the ETH paper, I think that is confirming my initial impression). I will post my synopsis of the paper here later next week.

Like you, I couldn’t get anyone in my family to use KeePass in the past. I now pay for a family subscription to BitWarden and I’ve gotten two of my kids to use it and I’m working on the third. My wife adamantly refuses to use it - she prefers pen and paper (that’s a whole ‘nother story though).
 
PHolder said:
The biggest risk to anyone is probably becoming a target of a law enforcement probe where the password vault provider is secretly compelled to aid the law enforcement agency by putting something targeted into their code. If that happened, in all likelihood you would be fully compromised.
Click to expand...
True - that is one possible scenario I hadn’t actually considered. But it definitely could be one. And interestingly, it may not have to be a law enforcement organization based here in the US (although I’m not sure how BitWarden has architected their service - I would suspect that they have the service in an AWS (or Azure or some other type of cloud) environment in the EU to ensure they’re complaint with GDPR and not putting EU citizen’s information in a US based environment.
 
You must log in or register to reply here.

Similar threads

Maplegate
Is blocking use of password managers really increased security?
Replies
4
Views
579
Security Now Podcast
Darcon
D
C
Using Password Generators
Replies
11
Views
1K
Security Now Podcast
JimB
J
H
Security Now - #1019 - re Password stuffing - Microsoft
Replies
1
Views
1K
Security Now Podcast
miquelfire
miquelfire
C
Security Now! MCP Server Project
Replies
0
Views
462
Security Now Podcast
comeara
C
L
Microsoft's new-ish Authentication for login (ready for spamming?)
Replies
4
Views
878
Security Now Podcast
lmcarmona
L
Top Bottom
Back