Many people use password managers because most users have between 100 and 200 passwords and cannot remember them all. Cloud-based managers let users reach their passwords from different devices and share them with family members. Security is critical because these services store sensitive data, including online banking and credit card logins, in encrypted vaults.
Researchers from the Applied Cryptography Group at ETH Zurich studied three popular cloud-based password managers. They set up servers that acted like hacked servers and tested a malicious server threat model. The team demonstrated several attacks that could let an attacker see or change users' passwords. The attacks often used simple actions users normally perform, such as logging in, opening the vault, viewing passwords, or synchronising data.
The researchers followed responsible disclosure and contacted providers before publishing, and they gave the companies 90 days to fix the vulnerabilities. Recommendations include updating systems, offering migration choices for existing customers, and being transparent. Users should prefer managers that undergo external audits and have end-to-end encryption enabled by default.
Difficult words
- password manager — A tool that stores many login details.password managers
- cloud-based — A service that runs on internet servers.
- encrypt — To change data so others cannot read.encrypted
- vault — A secure place to keep digital passwords.vaults
- vulnerability — A weakness that attackers could use.vulnerabilities
- synchronise — To make the same data on different devices.synchronising
Tip: hover, focus or tap highlighted words in the article to see quick definitions while you read or listen.
Discussion questions
- Do you use a password manager? Why or why not?
- What would make you trust a cloud-based password manager?
- How many passwords do you have, and how do you remember them?
Related articles
Instagram bot campaigns target activists and media in Western Balkans
In November 2025 coordinated bot operations hit activist and media Instagram accounts in the Western Balkans. Reports on November 16 and 23, 2025 describe fake followers, mass reports, bot comments and mass liking that reduced visibility.
