Tag: passwords

If you can’t come up with a secure password by yourself — and don’t use a password manager for that task (which most should) — then you may have come up with the idea of asking AI to give you a hand in generating secure passwords.

Cybersecurity firm Irregular published research on how that turned out for them during tests, and the result is anything but pretty.

When it asked large language models such as Claude, Gemini or GPT to generate secure passwords, it found “predictable patterns in password characters, repeated passwords, and passwords that are much weaker than they seem”.

While individual 16 character passwords looked strong, the researchers soon discovered that generating passwords multiple times would reveal the weaknesses of the approach.

Take Claude Opus 4.6 for example. When asked to generate 50 passwords, the researchers discovered several noticeable patterns:

• Of the 50 passwords, only 30 were unique. One password was repeated 18 times.
• All passwords started with a latter, usually uppercase G,, almost always followed by the digit 7.
• Character choice was very uneven, with some appearing in nearly all passwords and others rarely.
• No repeating passwords in any of the generated passwords.

ChatGPT did not fare much better. It created passwords with strong similarities. Most passwords started with the uppercase letter V, almost half continued with an uppercase Q.

Passwords generated by Gemini showed clear patterns as well. Almost half the passwords started with uppercase K or lowercase k,, usually followed by one of the characters #,, P or 9.

All AIs tested generated predictable passwords, which make it easier for attackers to brute force them. The researchers conclude that “people and coding agents shouild not rely on LLMs to generate passwords”.

Passwords generated through direct LLM output are fundamentally weak, and this is unfixable by prompting or temperature adjustments: LLMs are optimized to produce predictable, plausible outputs, which is incompatible with secure password generation.

Conclusion

Most computer users may want to stick to password managers as the go-to apps when it comes to generating strong passwords. There are free and paid solutions, local and cloud-based, something for every use case out there.

For years, Bitwarden held the undisputed title of the tech world’s best password manager bargain, offering top-tier password security for just $10 a year. But that era officially ended today.

In a major strategic shift, the open-source company announced an immediate price increase that sees its individual Premium plan rise to $1.65 per month—effectively doubling the annual cost—while the Families plan climbs to $3.99 per month.

Here is the old and new price comparison.

	Old Price	New Price
Basic	Free	Free
Premium	$1 per month $10 per year	$1.65 per month $19.80 per year
Family	$40 per year	$3.99 per month $47.88 per year

• The free basic plan remains as is.
• Premium nearly doubles to $20 per year.
• Family increases by about $8 per year.

The company argues the hike is necessary to fund a transition from passive storage to “proactive” defense, rolling out new features like real-time vault health alerts, expanded encrypted storage, and an upcoming phishing blocker designed to stop attacks before they happen.

Here is an overview of the new security features that Bitwarden announced:

Real-Time Vault Health & Coaching

The new feature automates the security process of checking for weak or exposed passwords.

• In-Vault Alerts: Bitwarden shows a risk-icon next to vault items if a password is weak, reused, or was found in a breach.
• Password Coaching: The moment a user logs in a site with a weak or compromised password, Bitwarden will prompt them to change it and guide them through the process.

Phishing Blocker

Upgrades defenses against phishing attacks.

• Proactive Blocking: Bitwarden will attempt to discern legitimate from phishing websites in order to block the latter before filling any credentials.
• Protection Layer: Aims to stop credential theft before it happens.

Expanded Encrypted Storage

Bitwarden Premium and Family plan customers get five times more storage space under the updated plans. This gives each user five gigabytes of secure file storage space, which they may use to store digital copies of passports, backup codes, wills, and other sensitive documents or files.

Advanced Two-Step Login options

Here, users get two expansions to existing support:

• More Hardware Keys: Users may register up to ten hardware keys, e.g., a Yubikey, with Bitwarden. This doubles the old limit of five hardware keys.
• Passkey Support: Improved support for the password-less authentication standard.

Closing Words

Ultimately, this update signals Bitwarden’s growth from a budget-friendly utility into a comprehensive security suite.

While a 100% price jump may sting long-time loyalists, the new ~$20 annual cost remains nearly half the price of top-tier competitors like 1Password and Dashlane.

Bitwarden is softening the blow with a one-time 25% renewal discount for existing users, but the company is clearly betting that active phishing defense and expanded storage are worth the premium. The days of the $10 vault are gone; users must now decide if they are ready to pay double for a smarter, more protective Bitwarden, or if the service’s robust free tier is effectively all the security they need

Good news for everyone who is using the password manager KeePass. A new update is now available that fixes two minor security issues in the client. These have come to light during a code analysis that was sponsored and run by the German Federal Office for Information Security and MGM Security Partners.

The new is good, because no medium, high, or critical issues were discovered during the audit. Note that the audit focused on the actual KeePass application and not third-party forks or plugins.

Also good to know:

Should you save passwords in a browser?

The full report will be published on this (German) website later on. Previous reports have been in German, and it is likely that the KeePass report will also be available in German only.

KeePass users may want to upgrade the password manager to the new version as soon as possible. The two discovered security issues have a low severity rating.

The official release notes go through the findings and provide notes on the discovered issues. It is unfortunately difficult to understand at this point as the report is not quoted.

Closing Words

The results of the code audit should instill confidence in the password manager. I’m keeping an eye on the download page of the report to read it once it is published.

Which password manager do you use? Is it KeePass or something else? Leave a comment down below to let us all know!

All modern web browsers include password management functionality. It makes sense on first glance to integrate the functionality; most users sign-in to services on the Internet regularly.

One of the main advantages of password managers in browsers is convenience. The browser recognizes new logins and prompts users to save the information. Similarly, it proposes to sign-in using saved data whenever a website is found in the password manager’s database.

It is handy and that is the reason why it is widely used.

Disadvantages exist as well:

• Functionality is limited to a specific browser – Synchronization support may extend the reach, but it is still a limiting factor.
• Automatic login functionality is limited to a browser – It cannot be used to sign-in to apps and other services that are not opened in the browser.
• Protective features are limited — Usually to the device password or Pin.

Limited functionality

When you save a password in a browser, it is stored by it in a database on the local device.

If synchronization is enabled, the database will be synced across all devices on which the browser is installed and synchronization is enabled.

Still, it is limited to that browser. If you use multiple browsers, then you won’t be able to use the functionality there as well, unless you use import features.

The saving of passwords and automatic logins are also limited to the browser. If you need to log in to an application on the device, then you need to do so manually by copying the username and password from the browser’s password manager.

Security is limited

Security and protective features are another. Depending on the password manager, passwords may not be saved with a password. Some browsers support setting a primary password to protect the password database, but in many cases, it is not enabled by default.

Anyone with access to the PC may get access to the stored passwords of browsers. While that requires the account password for the PC in question, it may open up a can of worms in some cases.

The browser may prompt for a password or a pin when the password manager is opened and entries are inspected there. However, there is no such protection when visiting saved websites. Browsers like Chrome will fill out the passwords on the sites and sign-in users automatically.

It is even possible to show passwords in plain text by manipulating the HTML code of the website. This is not a problem if the account password is strong and you never leave the PC unattended.

Synchronization is convenient, but it moves the password database into the cloud. It is encrypted, but it adds another attack vector that would not exist if the database would be stored locally only.

How dedicated password managers compare

Here are the main differences:

• A password is required to create a new password database — This means that it is protected by the device password and also the password the user selects during creation.
• Additional protective features are available — This may include two-factor authentication for extra protection, customizing security features, such as the number of iterations.
• Password managers run system-wide — You can use them to sign into apps or other services on the device, independent of any browser or program.
• Self-hosting may be supported — Instead of relying on a server by a company, you can self-host the cloud space.
• Open source and audits — Many browsers are not open source. Good password managers are audited regularly.

Some of the features depend on the password manager. My recommendation goes to Bitwarden and KeePass. There are numerous others that you can try.

Granted, password managers are not perfect. They cannot help you if you need to sign-in to a service on your Smart TV, but neither can browser password managers.

Closing Words

Using a password manager is highly recommended. If you use a browser password manager, make sure you configure extra security features, if needed. This may include setting up a primary password, enabling operating system protections, or using a strong device password or pin.

Standalone password managers offer more functionality. Good ones offer better security right away, more customization options, and a lot more that browser password managers do not support.

To answer the question of this article: a dedicated password manager is better in many regards, but it is still better using a browser password manager than none at all.

What about you? Do you use a password manager? If so, what is the program that you use currently and why?

Password service Dashlane announced restrictions for free account users this week that limit passwords to 25. Starting November 7, 2023, all Dashlane Free users are restricted to 25 passwords instead of unlimited passwords, the previous limit.

Those with more than 25 passwords keep access to them but they face the same restrictions in regards to adding new passwords. In short: once the 25 passwords limit is reached or crossed, new passwords can only be added if enough old passwords are deleted. Dashlane will also limit support access to paying customers.

The company explains that it made the decision to “focus resources on providing the highest level of service, support, and security”. This is marketing speak.

Dashlane Free remains a product, which means that it requires development resources. Limiting passwords won’t change that. This leaves pushing Free users to paid plans by artificially worsening the experience for many of them as a plausible reason.

Restricting passwords is not right

Dashlane Free users could and can store as many passwords as they want using the password manager. This won’t change until November 7, 2023.

The new artificial limit puts many Free users in a precarious position. Those with more than 25 stored passwords can’t continue using the service, as new passwords need to be stored eventually. They have just a few options:

• Delete passwords regularly to stay under the 25 passwords limit.
• Upgrade to a paid account and give in to Dashlane’s pressuring.
• Migrate to another password manager.

The first option is only feasible for users who don’t have many passwords in Dashlane. Upgrading is the quickest option to deal with the issue, but it also means paying for the password manager.

Migration is another option. Dashlane supports exporting all passwords to CSV files, which most password managers can import.

Password storage is a core feature of every password manager. Restricting the feature limits the password manager significantly. With the artificial limit in place, what is keeping Dashlane from introducing another restriction in the future that limits password storage even further or ends Dashlane Free altogether?

A short term boost to subscriptions

Dashlane will likely notice a short term boost to subscriptions. As users hit the new limit in November, part of the affected group will sign-up for a paid account, especially since a discount is offered.

Others will migrate to a different password manager. Plenty are also free and most do not limit password storage.

My recommendation is Bitwarden. It is open source, does not restrict passwords and is considered one of the best password managers out there. If you don’t need cloud syncing, you could also check out KeePass, another excellent password manager.

Dashlane sign-ups will slow down after the change lands. Users who look for a password manager may not pick the one that is limiting a core feature of a password manager. Less Free signups will also lead to less free to paid upgrades, as fewer users may choose that path. This will impact revenue.

Closing Words

Dashlane could have selected a different path. It could make old user accounts grandfathered accounts. This would have allowed existing free users to continue using the password service as well, at least in regards to passwords storage. This, on the other hand, would not have pushed sales as much, as only new users would be subject to the passwords limit.

It remains to be seen if Dashlane is going to reverse the limit eventually. This is not totally out of the question.