Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password manager cryptography audits: what trust assumptions still matter?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: ETH Zurich’s audit tested ten cryptographic attack scenarios against a fully malicious server model and found issues that were either resolved, in remediation, or accepted as intentional design decisions, according to Bitwarden. The result reinforces that password security still depends on explicit trust assumptions, not just encrypted storage.

NHIMG editorial — based on content published by Bitwarden: a summary of the 2025 cryptography report by ETH Zurich

Questions worth separating out

Q: What does a fully malicious server threat model reveal in a password manager audit?

A: It reveals whether the product still protects secrets when the backend can behave arbitrarily.

Q: How should security teams evaluate zero-knowledge claims in identity and secrets tools?

A: They should evaluate the full protocol, not just the storage layer.

Q: When does an independent cryptography audit become operationally useful?

A: It becomes operationally useful when findings are translated into remediation evidence, design decisions, or formal exceptions with owners.

Practitioner guidance

  • Document server trust assumptions Map which authentication, vault access, and recovery flows still depend on a trusted backend, then record how those dependencies behave if the server is compromised.
  • Separate encryption claims from assurance claims Review whether zero-knowledge, end-to-end encryption, and client-side controls actually cover recovery, metadata exposure, and protocol edge cases.
  • Require remediation closure evidence Track audit findings to documented fixes, accepted design decisions, or formal risk exceptions with named owners and revalidation dates.

What's in the full report

Bitwarden's full article covers the operational detail this post intentionally leaves for the source:

  • The full cryptography report explains the ten tested attack scenarios and how ETH Zurich classified each issue.
  • It includes the specific remediation status for the resolved and in-remediation findings, which is useful for implementation teams.
  • It outlines the malicious server threat model used during testing, which matters if you need to compare audit scope against your own architecture.
  • It provides the transparency context around open-source review and why the codebase was suitable for third-party cryptographic analysis.

👉 Read Bitwarden's cryptography audit summary and malicious server analysis →

Password manager cryptography audits: what trust assumptions still matter?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Open-source cryptography changes the assurance model, but it does not eliminate the need for trust boundaries. The article shows why third-party review is valuable: public code enables deeper verification than closed systems can usually support. That said, an audit only proves strength within the tested model, not universal immunity. Practitioners should treat transparency as a governance input, not as a substitute for ongoing validation.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

A question worth separating out:

Q: What should IAM teams do after a password platform audit finds issues?

A: They should reassess the platform’s trust assumptions, confirm which issues were fixed, and decide whether any residual risk affects authentication, secrets handling, or recovery workflows. If the platform is part of a broader identity stack, teams should also check whether related lifecycle and access review controls need updated oversight.

👉 Read our full editorial: Bitwarden cryptography audit underscores trust assumptions in password security



   
ReplyQuote
Share: