Most Password Managers leak in plaintext

It is not the first time I hear about these type of leaks but I thought they were patched and a thing of the past.
Proton Pass was not tested, probably it wasn’t already released at the time of the study.

It needs a compromised system to exploit though.

1 Like

If you decrypt something, it should eventually spit out something human readable. For it to be actually useful, it has to be passed ultimately as a plain text to render on a screen or be put in the clipboard for pasting. IIRC, doing any of those actions will cause it to “leak” in plaintext, because how else is it going to pass those into system memory or cache?


I thought the same but the article is too technical for my understanding, maybe I’m missing something.

I was having trouble reading it as well.

Here is the study.

“Results for standalone PMs. Master and entry cleartext password leaks are given in white and light-gray background, respectively (✓: password leak, ✗: no password leak). The vendor preceded with a star (⋆) requested to remain undisclosed until the vulnerability has been patched.”

While it’s an interesting look into this, I’m not sure why anyone would expect their password manager to not be compromised if they are using it on a malware infected device,

1 Like

Well, no one expect that but if you don’t care about vulnerabilities that’s when you got exploited.

Not just malware, also forensics. Ideal Password Manager wouldn’t be leaking any of those, unless of course it is actually open.

Sure, but that wasn’t what I was suggesting, of course vulnerabilities should be addressed, but context is important, if your threat model is malware on your system or someone gaining physical access to your device to run digital forensics on it, then you should be running a different PM setup.

I’d be interested to see responses from the PM companies to give insight into why these “leaks” are allowed, and of course threat modeling should always be considered with something like this, if your model is someone gaining physical access to your device and dumping your system memory to extract your passwords, you have to run a different PM setup to account for that.

1 Like

Sure but the study is about PM leaks not system compromise.

Partially, they specifically mention in the article that your system needs to be compromised for this to be an issue, I hope that the PM companies take this and fix any issues, as you mentioned vulnerabilities aren’t great either way, just trying to put some context around why this would be important and how to someone that doesn’t fully grasp the study or is newer to privacy and security, rather than just saying that PM tools leak passwords.

Because not all malware is the same. With additional protections, a PM might survive that particular malware. This is how the publications often sell separate PMs beyond the browser’s password manager too: that it is safer because it will survive some malware that the browser’s wouldn’t.

Yeah, I think this is what this study shows. It makes it clear which password managers might survive this scenario. The PM companies already know their own general weaknesses in this regard, fixing them just isn’t a priority for them. This kind of study and press coverage might change that.

I am a user of Bitwarden, but I don’t claim to know the company’s view point. By watching the Bitwarden subreddit and comments from the company’s employees/developers, they consider a malware to be the user’s responsibility. The general trend is, if you get a malware on your system, you can consider yourself royally screwed. The protections that they put in, that are effective against some malware, are often “industry standard” or receive press coverage.

BW and the technical users know that the vault’s information is unencrypted in memory unless in a “locked” or “logged-out” state, so some info in this studying isn’t surprising.

Yep, agreed to all of your points.

I think the thing with this study is I feel like they are presenting the data like this is a new discovery, when it’s probably a well known thing that as you pointed out isn’t a priority for the companies to address, a bit of FUD being pushed with the study if you ask me.


Actually built-in password managers are safer in malicious sites, trying to mess with extension and steal data. Password Managers.

1 Like

It is rather annoying that browsers don’t have a standard autofill API the same way iOS/Android does :roll_eyes:

Edit: except Safari which handles this correctly, but then you’d have to use Safari lol


Not sure how Safari works, I use Brave and Firefox both with built-in pm and they auto-fill forms.

For third-party password managers

It is this a ploy to make me transfer to ProtonPass? :laughing: I need it to work offline in Linux first, without internet connection.