On the Security of Password Managers

Source: Schneier on Security

Overview

A recent article highlights that password managers, often marketed as “cannot see your vaults,” may have hidden backdoors. The research focuses on how certain features—such as account recovery, vault sharing, and group organization—can undermine the promised security.

Research Findings

• Targets Analyzed: Bitwarden, Dashlane, and LastPass.
• Methodology: Researchers reverse‑engineered or closely examined each service.
• Key Vulnerabilities:
  1. Server‑Side Control – An attacker with administrative access or who compromises the server can steal data, and in some cases, exfiltrate entire vaults.
  2. Encryption Weakening – Specific attacks can degrade encryption strength enough that ciphertext can be transformed into readable plaintext.

Implications

• The presence of account recovery mechanisms creates a vector for attackers to bypass encryption.
• Vault sharing and group management features introduce additional attack surfaces that can be exploited by malicious insiders or external adversaries.
• Users should be aware that “zero‑knowledge” claims may not hold when these advanced features are enabled.

Recommendation

For those seeking a more straightforward, cloud‑free solution, consider Password Safe. While it lacks many of the advanced features of commercial managers, it offers:

• Pure encryption with no recovery features.
• Local storage only, eliminating server‑side attack vectors.

Note: Password Safe is not as feature‑rich as Bitwarden, Dashlane, or LastPass, but its simplicity can provide stronger guarantees against the vulnerabilities identified in the research.