Solved These 3 popular password managers are insecure, researchers find


Borg 386

Borg 386

Well-known member
Power User
VIP
Local time
7:55 AM
Posts
2,251
Location
In a crazy house with a cat trying to kill me
OS
Win 11 Pro, Win 10 pro, Win 13.7 Pro Chinese Ver
Hate to sound old fashioned, but I try to keep as many passwords off my PC as possible. I have a little notebook in my desk drawer where everything is written down. I trust that more then keeping them on a PW manager.

  • Swiss researchers discovered security vulnerabilities in three popular password managers – Bitwarden, LastPass, and Dashlane – demonstrating multiple potential attacks on each platform.
  • PCWorld reports these flaws stem from outdated 1990s cryptographic technology and complex code architectures that create additional attack points for cybercriminals.
  • While no immediate danger exists, the companies have been notified and are working on fixes to protect millions of users’ password vaults.
Click to expand...

www.pcworld.com

Your password manager isn't as safe as you think

Security experts have found serious security vulnerabilities in widely-used password managers. Here's what they advise users to do.
www.pcworld.com www.pcworld.com
 

My Computer

System One

  • OS
    Win 11 Pro, Win 10 pro, Win 13.7 Pro Chinese Ver
    Computer type
    PC/Desktop
    Manufacturer/Model
    It's a Dell Dude
    CPU
    12th Gen Intel(R) Core(TM) i9-12900 2.40 GHz
    Motherboard
    Father is bored too...
    Memory
    64.0 GB of transcendental dimensional RAM
    Graphics Card(s)
    NVIDIA GeForce RTX 3070 Ti
    Sound Card
    N/A
    Monitor(s) Displays
    27" Samsung Monitor/Alternative Dimensional Viewing Portal
    Screen Resolution
    Fuzzy after a couple drinks
    Hard Drives
    2 or 3, depending on if it's a night they're arguing about having a "split personality crisis" because I partitioned the drive.
    PSU
    Shockingly active
    Case
    Don't get on my case....man
    Cooling
    Scotch on the rocks on the weekends.
    Keyboard
    Steel Series Lighted Glow in the dark something or another
    Mouse
    Currently being stalked by the cat...
    Internet Speed
    DSL
    Browser
    Defeated by Mario...wait...OH...BRowser...
    Antivirus
    Yep
Bitwarden, LastPass, and Dashlane
Click to expand...

You would think these companies would know this by now. 🤨

I mean, 1990s technology? They don't (penetrate) test their own software?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 build: (26200.7623)
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface Pro
    Memory
    32GB
  • Operating System
    Microsoft 25H2 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell Pro 14 - PC14250
    CPU
    Intel Core Ultra 7
    Memory
    64GB
    Graphics card(s)
    Intel Integrated Graphics
    Hard Drives
    Micron 1TB SSD

These 3 popular password managers are WERE insecure, researchers find​

... IF the server had been hacked:

To do this, they set up their own servers that behaved like a hacked password manager server.
Click to expand...

As is usual with "friendly" attacks, Paterson's team contacted the providers of the affected systems before publishing the findings. They had 90 days to close the security gaps. "The vendors were mostly cooperative and grateful, but not all of them were equally quick to fix the vulnerabilities," says Paterson.
Click to expand...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
BruceR said:

These 3 popular password managers are WERE insecure, researchers find​

... IF the server had been hacked:
Click to expand...
Yeah, remove the primary security layer and claim the apps are not secure when the server is wide open!
Not really a valid breach test!
 

My Computer

System One

  • OS
    Win11 Pro 25H2 Latest GA build
    Computer type
    PC/Desktop
    Manufacturer/Model
    Powerspec
    CPU
    Intel(R) Core(TM) i9-14900KF 3.20 GHz
    Motherboard
    MSI PRO Z690-A WIFI (latest BIOS)
    Memory
    G.Skill DDR5-5600 / PC5-44800 DDR5 SDRAM UDIMM
    Graphics Card(s)
    GIGABYTE GeForce RTX 4070 Ti WINDFORCE OC 12G (GV-N407TWF3OC-12GD)
    Sound Card
    OnBoard
    Monitor(s) Displays
    Dell - various (3)
    Screen Resolution
    1920x1080
    Hard Drives
    SSD/HDD/NVME
    PSU
    850 Watt 80+ Gold Modular
    Case
    PowerSpec/Lian Li ATX 205 Mesh
    Cooling
    Coolermaster MASTERLIQUID ML240L V2 RGB
    Keyboard
    Logi MX Keys S
    Mouse
    MX Master 3S
    Internet Speed
    600 mbps
    Browser
    various (Opera, Vivaldi, Edge, Brave, Chrome)
    Antivirus
    anitmalwarebytes; superantispyware; defender
    Other Info
    Windows Feature Experience Pack 1000.26100.36.0
The paper doesn't mention the 90s at all, that I can find. In skimming it, I found a reference to "early-2000s cryptography," which I'm assuming means AES?

There haven't been any successful attacks on AES that I know of, but maybe I missed it. BEAST, for example, was an attack on CBC, but that was a flaw in how TLS 1.0 handled the IV, so it was a weakness in TLS, not AES.

Here's the original paper, if anyone wants to read a non-clickbait version of this story. https://eprint.iacr.org/2026/058.pdf
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Core i7-1260P
    Motherboard
    NUC12WSBi7
    Memory
    64 GB Micron PC4-25600
    Graphics Card(s)
    Intel Iris Xe Graphics
    Sound Card
    on-board Realtek HD Audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Crucial MX500 2 TB
    Antivirus
    Microsoft Defender
I think i'm still happy to use Bitwarden.
 

My Computer

System One

  • OS
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Ryzen 7 9700X
    Motherboard
    ASUS Crosshair Viii Hero Wi Fi
    Memory
    G.Skill Trident Z5 Neo RGB 64GB Kit (2x32GB) DDR5-6000 C30
    Graphics Card(s)
    PowerColor Radeon RX 9060 XT Reaper GDDR6 16GB
    Sound Card
    USB Out NAD M51 DAC with Adams A8 powered speakers
    Monitor(s) Displays
    Dell 3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    5 x WD_BLACK SN850x PCIe Gen4 NVMe M.2 SSD - 4TB
    PSU
    be quiet! DARK POWER 13 1000W Titanium PCIe 5.0 ATX Modular PSU
    Case
    Fractal Design Define 7 Full Tower Case (Black)
    Cooling
    Noctua NH-D15 G2 LBC - High Performance Multi-Socket PWM CPU Cooler
    Keyboard
    Razer Huntsman V2
    Mouse
    Razer Viper Ultimate
    Internet Speed
    Starlink 94Mbps down 20Mbps up
    Browser
    Brave
    Antivirus
    ESET
Borg 386 said:
Hate to sound old fashioned, but I try to keep as many passwords off my PC as possible. I have a little notebook in my desk drawer where everything is written down. I trust that more then keeping them on a PW manager.



www.pcworld.com

Your password manager isn't as safe as you think

Security experts have found serious security vulnerabilities in widely-used password managers. Here's what they advise users to do.
www.pcworld.com www.pcworld.com
Click to expand...
I use an 'air gap' too which cannot be hacked over the internet.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770 & Dell (secondary)
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    80 Mb / s
    Browser
    Chrome
    Antivirus
    Defender, Malwarebytes Free & AdwCleaner
The security researchers 'hack' relies on bad actors gaining control of the Password Manager's server(s), which seems unlikely. And they only looked at these four - Bitwarden, LastPass, Dashlane and 1Password. These providers, in effect, do not have zero-knowledge.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8524
    CPU Pentium Silver N6000
    RAM 4GB
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
I do not store core passwords in PM and I do not use convenient features like autofill or extension to be exploited.
 

My Computer

System One

  • OS
    Home26H2Can
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 (07/24) BIOS 4.21 AGESA ComboAM5 1.3.0.1 (04/26)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @5200 CL36 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @48FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (01/26)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge, Brave for YouTube, LibreWolf for FB
    Antivirus
    NextDNS blocking 1/3 Traffic
    Other Info
    Phone: Motorola Moto G86 (02/26)
    Backup: Hasleo Backup Suite (PreOS)
    Headphones: Sennheiser RS170 (09/10)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    Notifier: Xiaomi Mi Band 9 Milanese (10/24)
    FlexCore USB-C 3.2 Gen 1 (M) to LAN (F) (08/25)
TairikuOkami said:
I do not store core passwords in PM and I do not use convenient features like autofill or extension to be exploited.
Click to expand...
It's surprising how many people nowadays will choose convenience over security. Or maybe it's not, the general attitude is if it saves me a few seconds it'll be the choice.
 

My Computer

System One

  • OS
    Win 11 Pro, Win 10 pro, Win 13.7 Pro Chinese Ver
    Computer type
    PC/Desktop
    Manufacturer/Model
    It's a Dell Dude
    CPU
    12th Gen Intel(R) Core(TM) i9-12900 2.40 GHz
    Motherboard
    Father is bored too...
    Memory
    64.0 GB of transcendental dimensional RAM
    Graphics Card(s)
    NVIDIA GeForce RTX 3070 Ti
    Sound Card
    N/A
    Monitor(s) Displays
    27" Samsung Monitor/Alternative Dimensional Viewing Portal
    Screen Resolution
    Fuzzy after a couple drinks
    Hard Drives
    2 or 3, depending on if it's a night they're arguing about having a "split personality crisis" because I partitioned the drive.
    PSU
    Shockingly active
    Case
    Don't get on my case....man
    Cooling
    Scotch on the rocks on the weekends.
    Keyboard
    Steel Series Lighted Glow in the dark something or another
    Mouse
    Currently being stalked by the cat...
    Internet Speed
    DSL
    Browser
    Defeated by Mario...wait...OH...BRowser...
    Antivirus
    Yep
So what is the safest way to have our passwords saved? maybe an application or a file on PC?
 

My Computer

System One

  • OS
    Windows
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo Legion 7i
    CPU
    Intel i7-12800HX
    Memory
    32 GB DDR5 4800 MHz dual-channel
    Graphics Card(s)
    NVIDIA® GeForce RTX™ 3070 Ti
    Sound Card
    Steinberg UR44
    Hard Drives
    1 TB SSD (M.2 NVMe PCIe 4.0 x4
    2 TB SSD Samsung 980 PRO NNMe
    Browser
    Firefox
    Antivirus
    Windows Defender + Malwarebytes
rezpower said:
So what is the safest way to have our passwords saved? maybe an application or a file on PC?
Click to expand...
It sounds old fashioned, but write it down in a book or on paper. Try to keep PW's off your PC. Assume anything electronic that stores sensitive info might/probably will be hacked eventually. A couple of those password managers have been hacked in the past. Yeah, it's a PIA to have to put them in by hand every time, but IMHO it's the safest way to go.
 

My Computer

System One

  • OS
    Win 11 Pro, Win 10 pro, Win 13.7 Pro Chinese Ver
    Computer type
    PC/Desktop
    Manufacturer/Model
    It's a Dell Dude
    CPU
    12th Gen Intel(R) Core(TM) i9-12900 2.40 GHz
    Motherboard
    Father is bored too...
    Memory
    64.0 GB of transcendental dimensional RAM
    Graphics Card(s)
    NVIDIA GeForce RTX 3070 Ti
    Sound Card
    N/A
    Monitor(s) Displays
    27" Samsung Monitor/Alternative Dimensional Viewing Portal
    Screen Resolution
    Fuzzy after a couple drinks
    Hard Drives
    2 or 3, depending on if it's a night they're arguing about having a "split personality crisis" because I partitioned the drive.
    PSU
    Shockingly active
    Case
    Don't get on my case....man
    Cooling
    Scotch on the rocks on the weekends.
    Keyboard
    Steel Series Lighted Glow in the dark something or another
    Mouse
    Currently being stalked by the cat...
    Internet Speed
    DSL
    Browser
    Defeated by Mario...wait...OH...BRowser...
    Antivirus
    Yep
Borg 386 said:
A couple of those password managers have been hacked in the past.
Click to expand...
Some customer details were stolen but NO passwords were compromised which shows how secure they are.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot Secure Anywhere
    Other Info
    System 3

    Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8524
    CPU Pentium Silver N6000
    RAM 4GB
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
  • Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
My method is a password protected XSLX file on my hard disk and a backup of that on an external disk that is stored at an adress somewhere else (trusted family member). For every purpose (shopping, insurances, forum login etc.) I have a separate sheet in the total spreadsheet. I can make notes in that file too, one per account.

A few times in a year I print an overview of all logins and save it in a 'secret' location in the house. So that my wife and that family member can reach it if neccesary (and if all backups have gone lost). My wife (and that family member know the password of the XSLX file as well.

It won't be a 100% hackfree method, but convenient to use and rather safe. My banking login and my DigID (used for official accounts like income taxes and pension benefits) I don't have in that file. Those are just in my head and that of my wife's.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 26200.8457
    Computer type
    PC/Desktop
    Manufacturer/Model
    Build by vendor to my specs
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    MSI PRO B550M-P Gen3
    Memory
    Kingston FURY Beast 2x16GB DIMM DDR4 2666 CL16
    Graphics Card(s)
    MSI GeForce GT 730 2GB LP V1
    Sound Card
    Creative Sound Blaster Audigy FX
    Monitor(s) Displays
    Samsung S24E450F 24"
    Screen Resolution
    1920 x 1080
    Hard Drives
    1. SSD Crucial P5 Plus 500GB PCIe M.2
    2. SSD-SATA Crucial MX500-2TB
    PSU
    Corsair CV650W
    Case
    Cooler Master Silencio S400
    Cooling
    Cooler Master Hyper H412R with Be Quiet Pure Wings 2 PWM BL038 fan
    Keyboard
    Cherry Stream (wired, scissor keys)
    Mouse
    Asus WT465 (wireless)
    Internet Speed
    70 Mbps down / 80 Mbps up
    Browser
    Firefox 130.0
    Antivirus
    F-Secure (Internetprovider version)
    Other Info
    Router: FRITZBox 7490
    Oracle VirtualBox 7 for testing software on Win 10 or 11
Borg 386 said:
It sounds old fashioned, but write it down in a book or on paper. Try to keep PW's off your PC. Assume anything electronic that stores sensitive info might/probably will be hacked eventually. A couple of those password managers have been hacked in the past. Yeah, it's a PIA to have to put them in by hand every time, but IMHO it's the safest way to go.
Click to expand...
Yeah, I just write mine on a sticky note and attach to side of my monitor at work.. /s

Sorry, couldn’t resist… I have maybe 400+ pswd’s I use, many of which are [work] required to be a 12-char minimum with usual set of upper/lower case, special char and random numbers. Apps, servers, different support tiers, vault requirements and that’s before the personal accounts, home devices, etc. plus those with 2FA that require codes generated by apps like MS, Google, Authy on top! While I agree that writing it down is the best approach to prevent electronic hacks, with the number I have to remember that approach isn’t realistic.
While there are other ways - like spreadsheets - to track them, can’t just have that single source on your home PC. Phone?

PS: ALWAYS use 2FA on any account associated with your finances.. bank, credit card, any web site that you use to purchase stuff.. heck, even social media. And don’t use faceID to access your phone.
 

My Computer

System One

  • OS
    Win11 Pro 25H2 Latest GA build
    Computer type
    PC/Desktop
    Manufacturer/Model
    Powerspec
    CPU
    Intel(R) Core(TM) i9-14900KF 3.20 GHz
    Motherboard
    MSI PRO Z690-A WIFI (latest BIOS)
    Memory
    G.Skill DDR5-5600 / PC5-44800 DDR5 SDRAM UDIMM
    Graphics Card(s)
    GIGABYTE GeForce RTX 4070 Ti WINDFORCE OC 12G (GV-N407TWF3OC-12GD)
    Sound Card
    OnBoard
    Monitor(s) Displays
    Dell - various (3)
    Screen Resolution
    1920x1080
    Hard Drives
    SSD/HDD/NVME
    PSU
    850 Watt 80+ Gold Modular
    Case
    PowerSpec/Lian Li ATX 205 Mesh
    Cooling
    Coolermaster MASTERLIQUID ML240L V2 RGB
    Keyboard
    Logi MX Keys S
    Mouse
    MX Master 3S
    Internet Speed
    600 mbps
    Browser
    various (Opera, Vivaldi, Edge, Brave, Chrome)
    Antivirus
    anitmalwarebytes; superantispyware; defender
    Other Info
    Windows Feature Experience Pack 1000.26100.36.0
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom