• On the Security of Password Managers Good article on password managers that secretly have a backdoor. • New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. • The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server-either administrative or the result of a compromise-can, in fact, steal data and, in some cases, entire vaults. • The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext. • This is where I plug my own Password Safe. • It isn’t as full-featured as the others and it doesn’t use the cloud at all, but it’s actual encryption with no recovery features.

Article Summaries:

  • A recent study examined the security of popular password managers-Bitwarden, Dashlane, and LastPass-and found that claims of hidden backdoors are not universal. Researchers reverse‑engineered the services and demonstrated that a server‑controlled attacker, whether an administrator or a compromised host, can steal vault data or even entire vaults. They also identified attacks that weaken encryption enough to recover plaintext. The paper notes that account‑recovery features and shared‑vault configurations can exacerbate risks. In response, some users are turning to self‑hosted solutions like Password Safe or Vaultwarden, which avoid cloud storage and offer “defense‑in‑depth” controls.
  • On the Security of Password Managers Good article on password managers that secretly have a backdoor. New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server-either administrative or the result of a compromise-can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that c

Sources: