You probably can't trust anything if it's compromised
this post was submitted on 16 Feb 2026
252 points (90.6% liked)
Technology
82414 readers
2961 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Well the specific point here is that these companies claim that a server hack won't reveal your passwords since they're encrypted and decrypted on your local device so the server only sees the encrypted version. Apparently this isn't completely true.
At the point someone pulls off a valid MIM attack - which is basically a requirement here unless the whole BW/Vaultwarden server gets compromised- that is the least of someones problems. MIMs are incredibily hard these days.
load more comments
(2 replies)
Yeah, the title there really doesn't reflect the article text. It should be "you probably can't trust your password manager if the remote servers it uses are compromised".
load more comments
(1 replies)
Are you trying to say the front fell off?
That's not very typical
Since the summary doesn't say which three popular password managers:
As one of the most popular alternatives to Apple and Google's own password managers, which together dominate the market, the researchers found Bitwarden was most susceptible to attacks, with 12 working against the open-source product. Seven distinct attacks worked against LastPass, and six succeeded in Dashlane.
Next do proton pass
And glosses over what it claims are the two that dominate market (combined market share of 55%) which negates their headline, since it's likely the reader is using one of those two password managers.
load more comments
(2 replies)
No shit?
These password managers claim your passwords are secure, even if their servers get compromised, which is what is expected from a security standpoint. But that is apparently not the case.
Bitwarden. Shit.
Thats really disappointing. At least the selfhosted version means it would have to be a heavily targeted attack.
I don't think it should be disappointing. Bitwarden welcomes third party security testing, especially given it is open source. The tests done were just tests, and the issues were already fixed.
load more comments
(1 replies)
load more comments
(3 replies)
Bitwarden says all issues have already been addressed.
https://bitwarden.com/blog/security-through-transparency-eth-zurich-audits-bitwarden-cryptography/
Yes, although it sounds like they haven't finished fixing some of them:
All issues have been addressed by Bitwarden. Seven of which have been resolved or are in active remediation by the Bitwarden team. The remaining three issues have been accepted as intentional design decisions necessary for product functionality.
Edit: There's more information about the specific threats and remediation steps in the PDF report linked at the end of the Bitwarden blog post:
Looking through, it seems like for the most part these are very niche and/or require the user to be using SSO or enterprise recovery options and/or try to change and rotate keys or resync often. I think few people using this for personal would be interacting with that attack surface or accepting organizational invites, but it is serious for organizations (probably why they’re trying quickly to address this).
Honestly I think a server being incognito controlled and undetected in bitwardens fleet while also performing these attacks is, unlikely? Certainly less likely than passwords being stolen from individual site hacks or probably even banks. Like at that point, it would just be easier to do these types of manipulations directly on bank accounts or crypto wallets or email accounts than here, but then again, if you crack a wallet like this you get theoretically all the goodies to those too I suppose, for a possibly short time (assuming the user wasn’t using 2FA that wasn’t email based as well).
Not to mitigate these issues. They need to fix them, just trying to ascertain how severe and if individual users should have much cause for concern.
Regarding a malicious server acting under Bitwarden's fleet: As I see it, the most vulnerable target would be an organization's self-hosted Bitwarden server.
load more comments
(1 replies)
I suggest KeepassXC, I like it. Can use it with TOTP too
Yess!
I store the keepass vault on my nextcloud
On iOS and macOS, I use Strongbox pro (one time purchase), as it integrates beautifully into the apple ecosystem using its APIs.
On linux and windows free KeepassXC with browser plug-ins
On Android I use the free keePassDX which, like strongbox, uses the android APIs for passwords
Same. My password database never touches a server I don't own and my keyfile is manually copied between my devices and stored separately from the database file.
Keepass + Syncthing for cloudless sync between devices. Dreamteam.
load more comments
(1 replies)
What a headline
JFC this headline. BREAKING NEWS: Healthy people die off an old age.
Things you should know: Your car won't drive after it's broken down.
load more comments
(2 replies)
Additional vendor responses by Bitwarden to put the remediations and threat models into perspective:
I'll be honest, password managers are like the holy grail of desirable to breech. If you're using one it will be constantly under attack. It being breeched or vulnerable shouldn't be a surprise. There isn't really a secure way to store large amounts of passwords that doesn't have some vulnerability issues.
load more comments
(6 replies)
I just write down password hints on a scrap of paper.
If you don't have to use your passwords from multiple locations, your hints are intelligible only to you, and you don't leave the paper anywhere too obvious, this isn't a bad solution.
🤯
Uhhhh.... What even is this headline
I store my passwords on a flash drive with KeepassXC. How about you compromise that server... Oh wait a minute, no server?
load more comments
(7 replies)
Probably?
If the entire supply chain up to the software you're running to perform actual decryption is compromised, then the decrypted data is vulnerable. I mean, yeah? That's why we use open-source clients and check builds/use builds from separate source, so that the compromission of one actor does not compromise the whole chain. Server (if any) is managed by one entity and only manage access control + encrypted data, client from separate trusted source manage decryption, and the general safety of your whole system remain your responsibility.
Security requires a modicum of awareness and implication from the users, always. The only news here is that people apparently never consider supply chain attacks up until now?
Ya think?
view more: next ›