Should you still trust your password manager?

In this episode, Greg explores the gap between password manager marketing claims of “Zero Knowledge Encryption” and the reality uncovered by Swiss researchers who found 25 attacks against Bitwarden, LastPass, and Dashlane. Professor Kenny Patterson joins Greg to discuss why the industry’s “honest-but-curious” security model is dangerously inadequate compared to a “malicious server” threat model, diving into three critical vulnerability categories: account recovery mechanisms that allow attackers to swap encryption keys, seemingly innocent features like icon fetching that leak passwords, and “vault malleability” where individual item encryption lets attackers cut-and-paste data between vault fields. They also discuss how legacy code support and backwards compatibility create cryptographic hazards, and what non-negotiable features are needed to build a truly “provably secure” password manager from scratch. In our reporter chat, Greg talks to Matt Kapko about China’s new version of Brickstorm.