You may have seen news on vulnerabilities in password managers 🔐, posted in an Ars Technica article based on an ETH Zurich research paper.
Let me share some thoughts on these.
It is good practice to use password managers, they allow you to have unique passwords everywhere and the password manager keeps them safe. Today's mainstream password managers are online services, where many claim to be 'zero-knowledge' which means (while not a precise crypto term in this context) that no one, including the password manager company can access your passwords, even if they had a malicious employee or if they were hacked (or compelled by government, etc).
The researchers reverse engineered and analyzed multiple password manager services (including Bitwarden, Lastpass and Dashlane) and showed attacks where the above claim was not true.
-
👉 Some of the attacks are really nasty, resulting in e.g. full vault compromise (bad guy gets all passwords).
-
👉 Most attacks target not-so-core password manager features, such as key escrow, shared vaults or account recovery. When you are not using these or have these disabled, you are safe.
-
👉 The attacks rely on the password manager server being malicious. Some services claimed they don't adopt this kind of threat model (i.e. they don't assume that their own service can be malicious), but this sounds contradictory. If a company claims they cannot access the users' password vaults (see zero-knowledge claims above), this should cover the case when they are trying to do so.
The researchers proposed countermeasures for their attacks, and many of these have been already implemented by the services (as the researchers contacted them before going public).
I am somewhat skeptical here. While I don't think there is a fundamental conflict between security and efficiency, encrypting data at rest is an exception. Good encryption may outright prevent certain operations (like certain forms of sharing or recovery). On the long term, one inevitably needs to decide if they want social media features in a cloud service and allow it to access their data or have zero-knowledge (whatever it means). If a password manager starts including features like 'sharing', 'invites' and 'recovery', there will forever be vulnerabilities.
I would not advise anyone to stop using password managers, including those mentioned in the paper. Using a password manager, is way better than any other alternative.
Still, I prefer password managers to be offline tools and not password-manager-as-a-service, accumulating social media's sharing features. When it is about passwords, I really don't like sharing. 😁
Ars Technica article: https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/
Research paper: https://eprint.iacr.org/2026/058.pdf
I prefer offline password managers which run locally and store the password vault in an encrypted file. This file can be synced with any cloud storage (dropbox / google drive / onedrive / etc). This makes the password manager more lean and focused, and the password manager does not have access to your encrypted vault, while the cloud storage provider does not know your master password.
Examples: password safe, keepass (open source, cross-platform), enpass, password gorilla.
I also know people who run a self-hosted bitwarden instance.
Note that I do not necessarily reject cloud / online password managers either, I just put them into a different bucket.
I have also experimented with Google's cloud password manager (also built into Chrome) and I think it has become pretty good in its own class. If one wants to get started with minimal effort, it might be a good solution.
/Passwords may have many flaws, but they are supported everywhere. I am not deep into tools - both hardware or services - that promise you to get rid of passwords, but my experience is that when you try something like that you will eventually run into a technology that doest not work with it.../
This post was first published on Linkedin here on 2026-03-08.