On the Security of Password Managers

Good article on password managers that secretly have a backdoor.

New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server­—either administrative or the result of a compromise­—can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext.

This is where I plug my own Password Safe. It isn’t as full-featured as the others and it doesn’t use the cloud at all, but it’s actual encryption with no recovery features.

Tags: , ,

Posted on February 23, 2026 at 7:03 AM3 Comments

Comments

bw February 23, 2026 7:35 AM

I self hold vaultwarden, as far as I can tell has all of the features of bitwarden… you can use the bitwarden extension AND I can self host behind multiple layers of security as well.

I feel like “defense in depth” has been forgotten…

TimH February 23, 2026 8:29 AM

@bw “I feel like “defense in depth” has been forgotten…”

Also, don’t store your secrets on somebody else’s computer, no matter what assurances they give.

Chris Becke February 23, 2026 8:39 AM

Wish there was a product that was as secure as PasswordSafe but simple enough for my grandparents to safely use.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.