On the Security of Password Managers

Good article on password managers that secretly have a backdoor.

New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server­—either administrative or the result of a compromise­—can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext.

This is where I plug my own Password Safe. It isn’t as full-featured as the others and it doesn’t use the cloud at all, but it’s actual encryption with no recovery features.

Tags: , ,

Posted on February 23, 2026 at 7:03 AM23 Comments

Comments

bw February 23, 2026 7:35 AM

I self hold vaultwarden, as far as I can tell has all of the features of bitwarden… you can use the bitwarden extension AND I can self host behind multiple layers of security as well.

I feel like “defense in depth” has been forgotten…

TimH February 23, 2026 8:29 AM

@bw “I feel like “defense in depth” has been forgotten…”

Also, don’t store your secrets on somebody else’s computer, no matter what assurances they give.

Chris Becke February 23, 2026 8:39 AM

Wish there was a product that was as secure as PasswordSafe but simple enough for my grandparents to safely use.

Clive Robinson February 23, 2026 9:37 AM

@ Bruce,

With regards,

“This is where I plug my own Password Safe. It isn’t as full-featured as the others and it doesn’t use the cloud at all, but it’s actual encryption with no recovery features.”

1, Not full-featured = lower attack surface.
2, Not use-cloud = lower future risk from Quantum computing on backups.
3, No recovery-features = lower risk of attack via systemic risk.

As for “it’s actual encryption” there are always risks with encryption in the modes, protocols and standards that it’s used within. However much of that should not apply and that which does can usually be mitigated against.

@ ALL,

With regards password managers there is an issue that is not much talked about…

Some services store all user data in an encrypted form with the key derived from the user password.

Sensible selection of the password can mitigate the risk of it being cracked and the encryption key recovered by a hostile third party.

However… Backups of the encrypted user data on a cloud or similar server can usually be acquired by a hostile third party who keeps it untill either,

A, They get a copy of the password.
B, The potential for Quantum Computing arises.

But there is more to it, with passwords stored in a file even though encrypted the chances are a user has a mixture of password strengths and once one is found the others are easier to find (especially if the encryption is not properly implemented).

Thus any password strategy needs to take these issues into account.

Also all communications encryption these days should be via a hybrid of strong pre-quantum and strong post-quantum crypto.

All file encryption should use the strongest encryption with the largest bit size that is secure, because Quantum Computing effectively halves the number of bits of key size of conventional encryption.

One mitigation is not to use “passwords” but other forms of “root of trust, shared secret” where proof of knowledge systems can be used where the “shared secret” gets checked by “zero knowledge encryption” etc but never put out over the wire.

Such systems can be built into “Hardware Security Modules”(HSMs) that can be built using “smart cards” in devices small enough to slide into a wallet.

But apparently these are not considered worth designing, building, and putting on the market…

nessuno February 23, 2026 9:48 AM

“Wish there was a product that was as secure as PasswordSafe but simple enough for my grandparents to safely use.”

There is: pen and paper, stored within a safe with a mechanical lock.

TTS February 23, 2026 10:36 AM

@TimH
Also, don’t store your secrets on somebody else’s computer, no matter what assurances they give.

Amen.

On another hand, will the entire login ecosystem be soon broken?

https://www.securityweek.com/nists-quantum-breakthrough-single-photons-produced-on-a-chip/

Quantum computers will upend current cryptology by using Shor’s algorithm to rapidly negate the current public/private key secure encryption methods. This has largely been solved by NIST’s post quantum cryptology (PQC) algorithms.
NIST has developed Superconducting Nanowire Single-Photon Detectors (SNSPDs) which would allow single photons to be reliably sent and received over longer distances – up to 600 miles.

The second big advance is that NIST can do this on a single chip, which means such chips could be in mass production by the end of next year. Traditionally, NIST develops standards and industry rapidly adopts them. While the QKD market is likely to be relatively small (limited to areas that require very strong security), separate applications will quickly follow.

M Haden February 23, 2026 12:34 PM

How do you handle or recommend people document passwords in a way that people can access things once you pass from this realm?

Steve February 23, 2026 1:10 PM

@M Haden: How do you handle or recommend people document passwords in a way that people can access things once you pass from this realm?

I can’t speak for others but I have written instructions with current password and key to my own password manager (I use Password Gorilla, a Linux application that stores passwords locally[1]).

I guess I’ll see when I croak how well this works.

[1] My rule: If you power cord is not within arm’s reach, the computer is not to be trusted.

Wanderer February 23, 2026 1:45 PM

@Chris Becke A lot of the inconveniences in Password Safe are intrinsic to the extra security. You cannot have a vault that is both local, and constantly auto-synced across devices, for instance.

If you want to at least avoid one of the big issues brought up, 1password uses a second secret (2SKD). It comes with all the conveniences, except recovery, obviously. It’s not perfect, but it’s very good for digitally illiterate folks.

Rontea February 23, 2026 4:12 PM

Ah, the classic password paradox. On the one hand, security advice sternly warns: if your password is written down, it might as well be considered compromised. On the other hand, the same experts wag their fingers and say: if your password can be memorized, it’s probably too easy to guess. I recommend using a password manager!

Martin February 23, 2026 4:59 PM

I’ve used Password Safe for many, many years. It an excellent program that is updated on a regular basis, very reliable and secure. Thank you Bruce. And, thank you Rony Shapiro.

David February 23, 2026 7:55 PM

I personally like Oculock.. a new offline password and data manager that allows you to let people “transfer” useful things like your Wifi Password via QR code.

Steven Griffin February 23, 2026 8:42 PM

I use one of the major password safe vendors and I am aware of all the issues discussed here. However, I am not as concerned about Quantum Computing attacks or accidental backdoor/hacks as many of you are here.

The reason is that I use, as Bruce commonly points out, a defense-in-depth and risk analysis approach. User accounts that are high-risk are stored in the safe but ALSO have an MFA enabled that is not associated with the password safe software (YubiKey or other OTP app). User accounts that are medium risk I put in the safe only if I can safely mitigate the risk if compromised. Low risk accounts I just accept the security of the safe itself. If medium or low risk accounts are compromised, I’ll do what I can to recover but I won’t cry if they are lost/unrecoverable. Of course, if I can enable MFA anywhere I will do it but not every site supports it.

High risk: financial institutions, primary e-mail, shopping, and the like. I won’t create an account if MFA doesn’t exists on high risk sites.

Medium risk: credit card info (only liable for $50 USD), secondary e-mail, public utility and other standalone sites

Low risk would be social media, throwaway accounts, etc…

Clive Robinson February 24, 2026 2:15 AM

@ M Haden,

“How do you handle or recommend people document passwords in a way that people can access things once you pass from this realm?”

This is the last step of choice in a long chain of choices.

You first have to decide many things like what you want to be seen and what you don’t.

Some one once joked,

“Who do you want to leave your Pron Stash to -v- your will, and autobiography?”

Often when you get down to it a simple envelope inside an envelope inside an ordinary safe covers the last will and testament and other legal / financial papers or can be left in the care of a lawyer with instructions.

Because these things actually rarely change, and they also need to be handled correctly when you do “leave this realm” otherwise all sorts of things can go wrong, there is an old saying,

“Life is not about death and taxes…”

With the rider of,

“But if you have things of value then people will want them, and argue and fight over them, the rest goes to the garbage heap.”

So the first step is getting a very clear picture of what you are going to do with your possessions to what end, why and when as well as the character of those who might decide to change your wishes[1].

Only having got that sorted do you then move on to how do you ensure the right people get the right things and nobody gets the wrong things.

Stuff “on line” should be minimal and “subject to copyright” which as the IP goes on after your demise for upto around 75years might if you are an author or similar be important[2].

Only when you have a clear picture in your mind of what you want to happen to Who and When, can you move forward to the next stages of planning it out and putting it into practice with “fail safes”.

But consider a notebook or laptop computer in your fire proof safe with encrypted hard drives as being “volatile storage” and a separate written instructions like the will etc as “non volatile” storage. And for goodness sake ensure you do “off site backups” for both.

Key storage can be done via “M of N Shares”[3] encryption of the “master key” to your wallet, so that no one but you can access the volatile storage alone as you know “the master secret”.

The “pachyderms in the room” are the Software industry and legislation/regulation.

They are forcing people to not develop software that lasts more than a year or two at the most as part of their “business plan” to move every one from “owning to renting” as well as taking a massive slice out of software developers up front. For instance you do not own your “mobile phone” any more “for your own safety”… That is where all computers are currently heading be it the hardware or software and Governments want “back doors in everything”. So coming up with a software programme to do “secret sharing” or any kind of encryption is a very real issue.

Also “Don’t use Flash Memory” for storage, it’s now getting to the point where even a year of not being powered up causes the data to fade out… As for much more reliable floppy drives, when did you actually get one of those on a new computer?

All of this and more you have to think about well ahead of putting a plan into action.

[1] Remember things can go wrong when setting up trusts etc. In the UK for instance they changed trust laws so that children would get to benefit at the wrong age (whilst still teenagers). For the simple purpose of “putting wealth into the economy”. As I know from experience getting your inheritance when young makes you do things you regret in later life for reasons that may be beyond your control when young.

Also those you might chose as “guardians” for your own children etc might unexpectedly die before you. Again another issue I’ve had to deal with.

[2] Sir Terry Pratchett added his wife as co-author of his books for the copyright reason and set up a trust/foundation to manage the future of “Discworld” and other of his IP. He also left elaborate “data destruction requirements” for the storage in his writing computer. All of this takes forward planning and making sure people know well in advance the what and why of it.

[3] You can read up on the details of M of N or “Shamir’s Secret Sharing”(SSS),

https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing

But the method might make your brain hurt for a while… So to put it more simply it is generally known that some geometric shapes such as a circle have a hard limit on what information is needed to make them. For instance the radius and it’s start and end point of a circle can be found from the circumference but you need a minimum of three arbitrary points on the circle to define it. Thus you could hand out five point on the circle to different people, knowing that a minimum of three of them are needed to find the radius length and center of the circle. The same idea applies to objects in higher dimensions.

Clive Robinson February 24, 2026 3:31 AM

@ TTS, ALL,

With regards,

“NIST has developed Superconducting Nanowire Single-Photon Detectors (SNSPDs) which would allow single photons to be reliably sent and received over longer distances – up to 600 miles.”

So what?

It does not solve the two real problems which are,

1, Secure switching.
2, Secure repeating.

Without which efficient networks can not be formed.

Ever wonder why you only find “monorail” trains in places like airports?

Because nobody has solved “the points problem”… It’s also one of the reasons actual engineers had a good laugh over Hellon Rusk and his “hyperloop” idea of “cars running in vacuum tunnels”…

As Vaclav Smil has observed just over a year ago in “The MIT Press Reader”, some what sarcastically on just the most obvious of the problems,

“[I]t would seem prudent to advise the cognoscenti of rapid travel who are waiting for the fifth mode of transportation coming to their cities to watch their diet and exercise in order to remain in good health and achieve a long lifetime.”

https://thereader.mitpress.mit.edu/the-hyperloop-a-200-year-history-of-hype-and-failure/

The same applies to those who think QKD in fiber is going to solve secure communications (it’s not). These “obvious problems” are very real and are in the macro world quite representative of some of the problems of the quantum world of optical fiber and single photons. And that’s before people realise that the two problems of “Secure repeaters and switches” are going to remain unsolved for either a vary long time, inordinate cost, or most likely both.

Ian Stewart February 24, 2026 3:36 AM

I wonder how long it will be before the current United Kingdom government passes a law saying all password manager data has to be available to the authorities. They tried it with iCloud and are now considering age-verification for VPNs.

Monorailer February 24, 2026 5:16 AM

Because nobody has solved “the points problem”…

BS. Most monorail systems do have points (switches).

The real reason is the cost of building them.

Chris February 24, 2026 6:27 AM

“Password Safe”

Great concept, terrible accessibility. No font scaling and zero high-contrast support makes this nearly impossible to use for many. It really needs a UI overhaul to be inclusive.

frank February 24, 2026 10:12 AM

On ” MFA enabled”, Bitwarden lets users generate MFA codes for accounts. So maybe there is a need to remove any MFA code set ups within online password services and or add a separate MFA code app or yubikey to accounts on these password services?

Clive Robinson February 24, 2026 10:24 AM

@ Rontea, ALL,

With regards,

“Ah, the classic password paradox.”

Is not really a “paradox” the solution is “get rid of passwords”.

The problem then becomes,

“Replace passwords with what?”

Which is why after something like 75years of knowing they are “bad news” we are still stuck with passwords…

One big issue InfoSec people don’t want to talk about is why “multifactor” is such a bad idea as well.

Because of the three talked about,

1, Something you have (token).
2, Something you are (biometrics).
3, Something you know (memory).

They are all fairly useless due to being physically “compelled” by authorities.

The Police are allowed to use “what ever force required” to get you to use the first two, and any threats they like for the third including endless jail without trial (see contempt legislation/regulation).

Which is why quite a few years ago there were discussions on this blog about how to “provably not know but use a password equivalent”

Various things were discussed but they all kind of revolved around having people “out of jurisdiction” using “M of N” key sharing via a public key comms system with hidden time syncing.

I realised that whilst that would work for “business travelers abroad” it was not practical for individuals or loved ones or if you were picked up in your home country.

There is a solution to this which is to extend the third factor with geo and time constraints.

That is,

4, A place you know.
5, At a time you know.

The problem now is that due to the E2EE battle various people realised they were going to loose, so have decided the way to go is “client side scanning” in the OS.

That is anything you say or do get sent back to the “mother ship” of Apple, Google, or Microsoft where an NSL or equivalent is all that is required regardless of what you who thinks you own the device –but nolonger do– want…

Dan March 1, 2026 4:51 PM

I’m going to be “that guy”: From the OP
“This is where I plug my own Password Safe. It isn’t as full-featured as the others and it doesn’t use the cloud at all …”.

Well, in real life I need my vault sync’ed between my Mac and my iPhone.
I looked at the pwSafe app for Mac, and it uses iCloud to sync across devices! WTF?

I’m currently using 1Password7, the last version that allows local vaults. I know I’m living on borrowed time and need to move to something else, and I thought I’d found the answer, till I hit this incredible shock.

iPW7 syncs between my Mac and iPhone with a local WiFi process, never leaving my local network. What is the difference in this regard between iPW8 that uses Agilent’s cloud, and this, that uses Apple’s? What’s the point?

some sysadmin March 9, 2026 2:55 PM

Different tools for different use-cases. My org self-hosts a vaultwarden instance with account recovery auto-enabled. If our admin accounts were to be compromised, it’d be game over for the whole org. (well, provided our SIEM also failed at alerting us that multiple vault recoveries were taking place in a short amount of time)

As a sysadmin responsible for a 300-ish users network I simply cannot afford to have a password manager that does not have central management and most importantly an account recovery feature in case of forgotten passwords.

Our initial rollout was KeepassXC on test users (30 people) and a fourth of them forgot the master password within 2 weeks. At this point I’m either taking a central vault with potential backdoors or I’m ok with letting users store their passwords in a plain text .docx.

In private though KeepassXC all the way.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.