Recent academic research from ETH Zurich has generated headlines suggesting that several major password managers, including Bitwarden, LastPass and Dashlane, may be “less secure than promised.” This has understandably raised concerns among users and businesses who rely on these tools.
The research does not demonstrate that password managers are fundamentally broken or that encryption standards such as AES-256 have failed. Instead, it identifies weaknesses in specific implementation scenarios, particularly involving complex server interactions and recovery mechanisms under advanced threat models.
In practical terms, password managers remain significantly safer than the most common alternative in yachting: password reuse.
The study examined the architecture of several cloud-based password managers and identified potential weaknesses if a malicious server or highly capable attacker were able to manipulate certain protocol flows.
As with all mature security software, vulnerabilities can exist at the implementation level even when strong cryptography is used correctly at the core.
It is important to compare realistic risk scenarios.
When the same password is used across multiple services, a breach of any single website can lead to credential stuffing attacks across email, banking, SaaS platforms, and social accounts. This is one of the most common and successful attack paths globally.
Each account has a long, random, unique password. If one service is breached, the damage is contained to that single platform. To compromise the entire vault, an attacker would need the master password and often multi-factor authentication.
From a risk perspective, password reuse is exponentially more dangerous and routinely exploited at scale. Breaking properly implemented modern encryption is not.
(This doesn't just apply at work, the same goes for how you organise your home life too!)
Research like this can shape perceptions, especially among users already uncomfortable with storing credentials in a single place. However, security research identifying weaknesses is a normal and healthy part of the ecosystem. It drives remediation and strengthens products over time.
The takeaway is not to avoid or abandon password managers, but to use them properly and select vendors that demonstrate transparency and ongoing security investment.
Headlines may suggest password managers are unsafe. The evidence does not support that conclusion.
When compared with the real-world risk of password reuse, password managers remain among the most effective tools for reducing cyber risk onboard.
Link to ETH Zurich research: https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html#:~:text=The%20team%20conducted%20a%20study,LastPass%20and%206%20on%20Dashlane
Welcome to our weekly cyber briefing for superyacht crew, where I share some of the major developments, lessons learned and helpful guides to help you improve onboard cybersecurity. Make sure to follow my LinkedIn page and Anchorpoint's LinkedIn page to receive updates on the future of superyacht cybersecurity!
To receive these and other curated updates to your inbox on a regular basis, please sign up for our email by clicking here.
About us: Anchorpoint is on a mission to cyber secure the superyacht industry. Learn more about Anchorpoint here: https://trustanchorpoint.com/