Can You Trust Your Password Manager? | Feb 24-Mar 2

Your password manager might be able to read your vault, and that's just the start of this week's privacy wake-up calls.

On Our Radar 🎯

Your Password Manager Might Not Be as Trustless as You Think

We put an immense amount of trust in password managers. The #1 selling point is zero-knowledge: the company can't see your passwords – only you can. But new research pulls back the curtain on how that promise holds up in practice. The answer: not as well as advertised.

Researchers analyzed several major password managers (LastPass, Dashlane, and Bitwarden) and found the "zero-knowledge" claim is more marketing than cryptographic guarantee. The issue isn't that these companies are malicious — it's that architectural decisions made for convenience (like account recovery, password sharing, and legacy compatibility) expand the attack surface. Every service tested had meaningful vulnerabilities. What differed was severity and company response.

This matters because password managers are high-value targets. If someone can breach a provider and the architecture isn't truly zero-knowledge, your entire digital life is exposed in one sweep — particularly when features like account recovery or vault sharing are enabled.

This research doesn't mean you should stop using a password manager. It means you should know what you're actually trusting them with, and which features might be better left disabled. KeePass-style local vaults remain the gold standard for removing the need for trust altogether. However, not everyone wants to (or should) use an offline password manager, and a cloud-based solution is still far better than reusing weak passwords. For reference, Bitwarden's audit is publicly available, while 1Password (briefly mentioned in the research) proactively documented their own limitations before being studied.

What you can do: Check whether your password manager has published an audit that specifically validates their "zero-knowledge" architecture. If they haven't, or if you're using a closed source service without verifiable claims, take that into account. Make sure you're always running the latest version. Also look at how each company responds to these types of incidents. Are they dismissive? Responsive? Transparent? If they won't take genuine responsibility in public, there's a good chance they won't do it in private, either.

Bits & Bytes 🤖

~ Google's Android Developer Verification Plan Threatens the Open App Ecosystem

Google announced last year that all Android apps must be tied to a verified developer account, including those distributed outside the Play Store. F-Droid and the broader open-source Android ecosystem have sounded the alarm, and Techlore was a signatory on the Keep Android Open letter pushing back.

Our take: This is a slow squeeze on sideloading and open distribution dressed up as safety. If verified identities become a hard requirement, anonymous and pseudonymous developers — the backbone of privacy-focused FOSS tools — get pushed out. Watch this one carefully.

~ Apple Rolls Out Age Verification Tools Worldwide

Apple quietly launched a global age verification system this week to help app developers comply with a growing patchwork of child safety laws. They are also now blocking downloads of 18+ apps in Australia, Brazil, and Singapore until users confirm their age.

Our take: Age verification sounds reasonable until you think about the data trail it creates. Apple's approach is arguably one of the more privacy-conscious implementations possible — sharing an age range rather than identity details, like birthdays. But the real concern isn't Apple's implementation; it's the legislative pressure underneath it.

~ Android Mental Health Apps with 14.7 Million Installs Are Full of Security Flaws

Researchers analyzed ten Android mental health apps with a combined 14.7 million downloads and found 1,575 security vulnerabilities across them.

Our take: Mental health data is uniquely exploitable. The combination of sensitive content, a trusting user base, and apparently lax security practices is a serious problem. Since the app names aren't public yet, the best thing you can do is check when your mental health app(s) last received an update. If it's been sitting untouched for over a year, that's something to think about.

This Week on Techlore 📺

This week's Surveillance Report dives deep into the password manager research, Google's plans to close off Android, Apple's age verification expansion, and a massive Defense Bulletin packed with breaches and critical service updates:

On Techlore Talks, we had JP Schmetz, founder of Brave Search and CEO of Ghostery, to discuss making trackers visible and reinventing the open web with AI:

The widely-circulated narrative that Google already backed down from forcing developer registration is false. They didn't:

Action Item ✅

Take 10 minutes to look up whether your password manager has published a third-party cryptographic audit. Search "[your password manager] zero-knowledge audit" and see what comes up. If you can't find a clear, verifiable answer — that's your answer.

Quick Note 📝

It's been a hot minute since the last issue of Digital Rights Digest, so we really appreciate the patience as we get our new workflows locked in. Next week Henry & I will be together in person to film Go Incognito V2, but after that trip, we should have the bandwidth to be more consistent. Stay tuned!