Security Now Episode 1066: Password Leakage – Zero Trust, Zero Knowledge

Hosts: Steve Gibson & Leo Laporte
Date: February 25, 2026

Episode Overview

In this wide-ranging episode, Steve Gibson and Leo Laporte cover the latest in cybersecurity news and provide a deep dive into password manager vulnerabilities, legislative attempts to control 3D printing, and alarming data leaks. Steve discusses a recent ETH Zurich study evaluating the security claims of major password managers (Bitwarden, LastPass, Dashlane), sharing practical takeaways and why the "zero knowledge" promise is so hard to keep. The episode also explores dubious state efforts to regulate 3D-printed firearms, mass Social Security number exposures, AI and password safety, cloud certificate upheaval, and much more. Throughout, the hosts maintain their trusted, analytical—yet approachable—tone, peppered with personable anecdotes and memorable moments.

Main Theme:
Are cloud-based password managers truly "zero knowledge"? Steve breaks down new research, the surprising intricacies, and what users can learn from real-world password leakage incidents.

Highlights and Key Discussion Points

Upcoming Special Episodes and Housekeeping

• [01:21] Steve and Leo announce a scheduling note: upcoming episodes will be released in quick succession due to travel for Zero Trust World.
  • Special: Steve’s Zero Trust World presentation will be released as its own podcast.
  • “The real threat these days is coming from inside the building.”—Leo [02:15]
  • Steve promises to share documentation about his recent code-signing experience for the benefit of listeners.

Certificate Authority Turbulence

• [15:11] Steve explains – with recognizable exasperation – the chaos surrounding shortening certificate lifetimes, specifically how certificate validation is being decoupled from issuance.
  • Notable quote:
    “So you know, don't just go thinking that all you need to do is push a button to issue yourself a certificate. Oh no, your button has been disabled.” —Steve [17:58]
  • Practical takeaway: Automation and regular domain re-validation will soon become unavoidable due to decreasing certificate life spans (eventually down to 47 days by 2029).
  • Steve recommends planning ahead and considers Let’s Encrypt’s approach “much cleaner and simpler.”

Legislative Futility: 3D Printing Gun Regulation

• [26:00] Steve and Leo examine recent state proposals (California, Washington, New York) to mandate “firearm-blocking technology” in 3D printers.
  • Highlights from Adafruit & Michael Weinberg:
    • It is not technically feasible for 3D printers to analyze files and determine if a gun is being printed.
    • 3D printers lack both the hardware and software sophistication, and the open-source nature makes any restriction trivial to bypass.
    • “Just as we do not require the phone company to monitor every phone call... we should be wary of requiring our 3D printers to monitor every print.” —via Michael Weinberg [44:00]
  • Steve’s verdict:
    “The large and growing degree to which modern technology appears to be outpacing legislators' ability to understand what they can and cannot have. They cannot have a practical law, no matter how much they want one.” [45:09]
  • Timestamp: Segment runs from [26:00]–[51:14]

Mass Data Leaks: Social Security Numbers & Ransomware

• [58:24] Incident summaries:
  • Figure Technologies breach: Nearly 1 million customer records released after refusing Shiny Hunters’ ransom.
  • Notable moment: “A limited number of files.” “Who cares how many files escaped?” —Steve [60:35]
  • 2.7 billion Social Security numbers? UpGuard finds a massive, messy database of SSNs—mostly duplicates from old breaches. Steve reiterates: “All of our data is loose. It’s out there… The best advice is to keep [your credit] frozen.” [74:24]
  • Practical tip: Freeze your credit to mitigate identity theft [74:24]

AI, Password Generation & ClickFix Attacks

• AI and Password Safety:
  • “Never ask an LLM for a password.” —Steve [90:48]
  • LLM-generated passwords are dangerously predictable and often recycled.
  • “The LLM is quite likely to give the same password to others because this is not what they’re for.” —Steve [90:48]
  • Notable Moment: Leo demonstrates asking Claude AI to fetch a password from GRC’s Passwords page—the only safe way to let an AI help! [97:02]
• ClickFix Exploit:
  • Over half of malware loader activity in 2025 came from this single attack: fake CAPTCHA prompts tricking users to paste malicious commands into the Windows Run dialog.
  • “It is so powerful and potent, and I could see so many people falling for it...” —Steve [98:27–105:05]
  • Practical warning: Educate users. “Please warn your friends to be careful.”

Listener Questions & Practical Security Tips

• DNS Benchmark False Positives [108:53]:
  • A listener mistakes GRC DNS Benchmark’s random queries as suspicious—Steve clarifies the benign cause and uses it to educate about DNS benchmarking.
  • “If you do not own and have run GRC’s DNS benchmark, then I would agree, that is definitely a cause for concern.” [121:32]
• Default Configuration Security:
  • Redis database’s exposed defaults caused data spills; a simple change to loopback-only (local) access dramatically improved safety. “Limit access to the loopback interface. Very nice.” [121:44]
• TTL as a Security Tool:
  • Steve shares the underutilized potential of packet TTL (time-to-live) as a means to limit the reachability of servers, though it’s rarely exposed as an app-level control. [121:44–129:52]

Deep Dive: ETH Zurich’s Password Manager Security Study

[133:33 and 139:54]
Research Focus:
Can leading cloud-based password managers—specifically Bitwarden, LastPass, and Dashlane—truly deliver “zero knowledge,” i.e., security even if the server is fully malicious?

Main Findings

• Researchers found:

  • 12 attacks on Bitwarden
  • 7 on LastPass
  • 6 on Dashlane
  • Many attacks required complex, theoretical server-side compromise but some design anti-patterns and cryptographic misconceptions posed real threats.
  • “The majority of the attacks allow recovery of passwords, the very thing that a password manager is meant to protect.” —Researchers citing the study [141:01]

• Key Categories of Problems:

  • Flaws in key escrow/account recovery
  • Insufficient vault integrity/cryptographic binding
  • Sharing features and backwards compatibility
  • LastPass notably lacked ciphertext integrity checks for years.

• Why isn’t this easy?

  • Steve explains: User demands (account recovery, sharing, cross-device use, friendly features) add unavoidable layers of complexity—“complexity is the enemy of security.”
  • Theoretical TNO/PiE security is perfect but utterly unforgiving—“if you forget your password, you’re S.O.L.”

• Current Status & Recommendations:

  • All mentioned flaws have been disclosed, and vendors are patching.

  • Using third-party password managers like Bitwarden (open source, regularly audited) is still safest for most users.

  • Notable quote:
    “The safest security solution is the one that’s been heavily challenged and audited by the industry’s top security researchers. So I feel more confident than ever with my choice of Bitwarden.” —Steve [154:20]

  • Practical Note:
    The study surveyed only those products with at least partially open client code, allowing thorough audit.

User Advice

• Should you worry?
  • No—if you use Bitwarden, LastPass, or Dashlane, the situation is BETTER than before thanks to this audit and fixes.
  • “There’s not cause for concern. In fact, this is cause for celebration. This is a useful piece of a better result that all of the three—I hope all the three companies will act on and improve.” —Leo [160:54]
• Anything users should do?
  • Nothing special—keep your password manager updated.
  • No local setting (Argon2, iteration count, self-hosting) would meaningfully protect against these now-patched server-side issues.
• Open-source advantage:
  • Bitwarden’s transparency and fast adoption of stronger key derivation are emphasized.
  • “This is one of the advantages of being an open source project, is you welcome this kind of stuff and you have other eyes looking at the security...” —Leo [53:08]

Other Notable Segments

• Apple adding cameras to wearable devices & AI AirPods? [78:32]
• Firefox drops Windows 7/8 support; version 148 introduces ‘Disable all AI’ switch. [81:15]
• Russia briefly blocked the Linux kernel site—oops! [81:55]
• U.S. plans 'freedom.gov' portal to show Europeans content censored by their own governments—a Radio Free Europe for the digital age. [83:53]
• Listener letters: From evaluating AI coding agent workflows to the importance of default-secure application configuration.

Most Memorable Quotes

• “Never ask an LLM for a password.” —Steve [90:48]
• “This is so nuts that I’m not going to spend much time on it...” —Steve, on LLM password generation [91:37]
• “If you have truly trusted no one else with anything, then... S.O.L.” —Steve, on the perfect but unforgiving security models [133:33–137:48]
• “They’re implementing their server-side infrastructure knowing they weren’t the bad guys... What if somebody else did?” —Steve, on software developers’ mindsets [158:03]
• “The world’s just sort of like, okay, they got breached and now they’re being ransomed and blah, blah, blah.” —Steve, on breach fatigue [61:22]
• “The LLM is quite likely to give the same password to others because this is not what they’re for.” —Steve [90:48]

Timestamps of Important Segments

• Certificate authority changes & automation: [15:10–26:00]
• 3D printer & legislative analysis: [26:00–51:14]
• Shiny Hunters & mass SSN breach: [58:24–74:24]
• AI password generation & ClickFix attack: [90:01–105:05]
• Listener feedback (DNS Benchmark, Redis, TTL): [108:53–129:52]
• Password manager study deep dive: [133:33–162:18]

Final Recommendations

• Keep your password manager updated — recent research means Bitwarden, LastPass, and Dashlane are now more secure than ever.
• Do not use AI tools directly to generate passwords; use trusted password manager generators or Steve’s GRC passwords page.
• Educate users and non-technical friends/family about modern attack vectors like ClickFix.
• Embrace open-source, well-audited tools where possible.

For more information:

• Transcript, show notes, links, and utilities available at grc.com

Next episode: Special Zero Trust World event, then regular episodes resume.

Security Now delivers sharp commentary and practical advice—making complex security concepts accessible and relevant, every week.