If Password Managers Aren’t Perfect, Are They Still Worth It?

This week’s W’one Win Wednesday (WWW): Stop Reusing the same Passwords - next time you use one, change it and store it safely (preferably in a password manager).

Recent academic research from ETH Zurich has generated headlines suggesting that several major password managers, including Bitwarden, LastPass and Dashlane, may be “less secure than promised.” This has understandably raised concerns among users and businesses who rely on these tools.

The research does not demonstrate that password managers are fundamentally broken or that encryption standards such as AES-256 have failed. Instead, it identifies weaknesses in specific implementation scenarios, particularly involving complex server interactions and recovery mechanisms under advanced threat models.

In practical terms, password managers remain significantly safer than the most common alternative in yachting: password reuse.

What the Research Found

The study examined the architecture of several cloud-based password managers and identified potential weaknesses if a malicious server or highly capable attacker were able to manipulate certain protocol flows.

Importantly:

• The encryption algorithms themselves were not broken.
• Vaults were not stored in plaintext.
• The findings relate to advanced architectural edge cases, not everyday usage.

As with all mature security software, vulnerabilities can exist at the implementation level even when strong cryptography is used correctly at the core.

Risk Comparison: Password Manager vs Password Reuse

It is important to compare realistic risk scenarios.

Password Reuse:

When the same password is used across multiple services, a breach of any single website can lead to credential stuffing attacks across email, banking, SaaS platforms, and social accounts. This is one of the most common and successful attack paths globally.

Password Manager with Unique Passwords:

Each account has a long, random, unique password. If one service is breached, the damage is contained to that single platform. To compromise the entire vault, an attacker would need the master password and often multi-factor authentication.

From a risk perspective, password reuse is exponentially more dangerous and routinely exploited at scale. Breaking properly implemented modern encryption is not.

(This doesn't just apply at work, the same goes for how you organise your home life too!)

Does This Undermine Trust in Password Managers and Should You Still Use Them?

Research like this can shape perceptions, especially among users already uncomfortable with storing credentials in a single place. However, security research identifying weaknesses is a normal and healthy part of the ecosystem. It drives remediation and strengthens products over time.

The takeaway is not to avoid or abandon password managers, but to use them properly and select vendors that demonstrate transparency and ongoing security investment.

Suggestions:

• Use a reputable password manager with transparent security practices
• Enable multi-factor authentication (MFA) on the vault
• Use a strong, unique master password (for yacht password managers, often best to store written copies of master passwords in the safe, which generally has access limited to the Captain)
• Protect email accounts with MFA
• Avoid password reuse under any circumstances

Headlines may suggest password managers are unsafe. The evidence does not support that conclusion.

When compared with the real-world risk of password reuse, password managers remain among the most effective tools for reducing cyber risk onboard.

Link to ETH Zurich research: https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html#:~:text=The%20team%20conducted%20a%20study,LastPass%20and%206%20on%20Dashlane

Click here to join our Cybersecurity Threat Intelligence WhatsApp Group for Superyacht Crew - CyIntel.

Welcome to our weekly cyber briefing for superyacht crew, where I share some of the major developments, lessons learned and helpful guides to help you improve onboard cybersecurity. Make sure to follow my LinkedIn page and Anchorpoint's LinkedIn page to receive updates on the future of superyacht cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email by clicking here.

About us: Anchorpoint is on a mission to cyber secure the superyacht industry. Learn more about Anchorpoint here: https://trustanchorpoint.com/