Do password managers really not protect from info/password stealers?

John1307 · December 22, 2025, 7:43pm

Hi,

I know this topic might probably not fit this community or is even violating against Bitwarden’s Community Guidelines and Rules but I as a non-tech / IT guy want to know if it is true that password managers do not protect against info/password stealers?

Reddit post:

Do password managers actually protect from password stealers?

I got bitwarden installed on my PC (on chrome) and on my phone. lets say I got a password stealer somehow. would my accounts be safe then?

And all the comments say the same thing, that they do not protect again info/password stealers.

From what I know from my very small knowledge: Password Managers make it harder for info/password stealers to steal login credentials than the browser in-built password managers.

Neuron5569 · December 22, 2025, 8:43pm

I think ultimately, the reason why the general answer to this question is no, it doesn’t protect against malware, is because it’s outside the design parameters of password managers. All efforts made to resist malware are best effort, meaning they work against some malware but not others. On a Windows system, because any user-space software can read the memory of another, malware can be designed to dump the plaintext memory of Bitwarden when it’s unlocked; it would obviously work if it doesn’t get shut down by the AV software running on the system.

That said, since I started using Bitwarden, I have tried reading all the technical publications on infostealers attacking Bitwarden specifically. Usually, these infostealers are said to exfiltrate the encrypted vaults (see examples in Kaspersky’s report on Stealka stealer and Bitdefender’s report on Raccoon stealer).

Some of those don’t mention keyloggers, RATs, or persistent loaders (which install additional malware/keyloggers), so it’s not apparent that they have the master password. Based on this, the most vulnerable Bitwarden configurations would be those set to NEVER lock (and never requiring the master password) and perhaps those locked by a weak PIN that doesn’t require the master password on restart.

Ultimately, if malware gets onto your system, the question would be whether the malware is capable of exfiltrating your vault’s plaintext information, given the Bitwarden configuration you have. Sometimes, you may not be able to determine this (such as if there were signs that you were infected but it’s not obvious with what and what capabilities it may have, given the lack of technical details). If there are signs of vault compromise (while in fact other things may have been compromised), the safe response is to assume total vault compromise and act accordingly.

The best cybersecurity measure regarding the infostealer threat is to ensure it doesn’t get onto your system in the first place. If you can’t be sure (due to supply chain attacks, trusted software turning bad, or trusted software being taken over), then implement additional layered defenses that, while being best efforts and not guaranteed to work against all attacks, would frustrate the attackers further.

PS:

Third-party password managers are usually automatically safer since infostealers, by definition, steal from browsers’ password managers but often not from third-party managers.
For software, the best-protected software is the one that requires authentication on startup and stores data encrypted. The harder the authentication (complex password, etc.), the more difficult it is to steal the information. Software that requires no authentication (like browser password managers) is usually “easy” to steal from using available tools.

Quexten · December 23, 2025, 1:36am

All efforts made to resist malware are best effort, meaning they work against some malware but not others. On a Windows system, because any user-space software can read the memory of another, malware can be designed to dump the plaintext memory of Bitwarden when it’s unlocked; it would obviously work if it doesn’t get shut down by the AV software running on the system.

I want to add some additional notes here. While it is true that user-space malware is out of scope for the desktop app’s threat model, and efforts here are best-effort, not guarantees, the desktop app on all platforms now since recently has hardening against memory access. Note: The locked desktop app is within scope for hardening against userspace compromise, so Biometrics especially requires hardening, since it loads a key into memory after the first time a user unlocks, that has to stay in memory, even while locked.

On Windows, the in-memory biometric unlock key is encrypted via DPAPI, which in-memory encrypts using a key held in the kernel, bound to the process. Further, Debugger access to the application is prevented using DACL.

On Linux, if you are on Ubuntu, then kernel.yama.ptrace_scope already protects you from user-space dumping. If not, then the desktop app uses PR_SET_DUMPABLE to prevent ptrace access (and thus memory dumping), and also moves biometric unlock keys either to keyctl or uses memfd_secret, both of which prevent memory dumping.

On Mac, the system already prevents debugger access, and memory dumping (but production apps still use PT_DENY_ATTACH)

If you are interested here are some links to the changes:

github.com/bitwarden/clients

[BEEEP | PM-25358] Add process isolation on windows and mac desktop main process

main ← km/beeep/windows-mac-anti-memory-dump

opened 10:44PM - 25 Aug 25 UTC

quexten

+101 -27

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-25358 ## 📔 Object…ive Uses the[ secmem-proc ](https://docs.rs/secmem-proc/latest/secmem_proc/)crate to isolate the `main` process on electron, that holds secrets such as the biometric unlock client-keyhalf, or SSH private keys for the SSH agent. This prevents user-space processes from dumping the main process memory to gain these keys to circumvent security measures. Specifically: https://github.com/bitwarden/clients/blob/81531eec69fb4557cbb25887a1017d1fb60c90e3/apps/desktop/desktop_native/core/src/process_isolation/mod.rs#L5-L12 To fix this, process isolation methods are added when the app does not run as dev that prevent debugger / memory dump access. In dev, these isolations are not enabled. On Windows, DACL is used to restrict access to the process. On mac ptrace is prevented via `PT_DENY_ATTACH`. Linux is was already previously added by using a call to prctl to set [PR_SET_DUMPABLE](https://man7.org/linux/man-pages/man2/pr_set_dumpable.2const.html) directly, without the secmem-proc crate, even though the secmem-proc crate also provides the same call for the Linux implementation. I have verified only the Windows behavior. On Windows, electron's main process can no longer be dumped using `procdump.exe`. Note: Renderer / GPU processes are still left open by this. An approach like https://github.com/bitwarden/clients/pull/16136 may be applicable to them as follow-up work. Note on the attacker model: In this case, the attacker model assumes that the app is running and locked. While in this state, the user device is compromised. ## 📸 Screenshots ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

github.com/bitwarden/clients

[BEEEP|PM-25164] Prevent memory dumping on renderer on Linux

main ← km/beeep/isolate-memory-renderer

opened 12:20AM - 23 Aug 25 UTC

quexten

+178 -5

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-25164 ## 📔 Objectiv…e This PR prevents all memory dumping, debugger access, environment variable snooping for all electron processes on Bitwarden desktop on Linux (except snap). On Linux, userspace programs can read memory of other processes running under the same user. This can be prevented with [prctl PR_SET_DUMPABLE](https://man7.org/linux/man-pages/man2/pr_set_dumpable.2const.html). We already do this for the main process in desktop_native (https://github.com/bitwarden/clients/pull/9393), but this call only affects the current process, and we can only call it in `main`. We cannot call this in renderer / GPU, leaving these processes open currently. A workaround is injecting code into the electron processes, to run the isolation calls from the otherwise inaccessible processes. This PR adds a Rust library, that is compiled to a shared object, that is preloaded on all processes, including GPU and renderer. When loaded, it uses PR_SET_DUMPABLE to prevent all debugger access from user space and prevents keys or data from being accessed by other user-space programs. On flatpak, hooking the unsetenv is needed to restore the preload env variable after zypak clears it. This is a bug in zypak. Snap is not included since there is an open bug in portals that prevents file access when PR_SET_DUMPABLE is used. A test script that verifies the isolation status is also included. Note: This duplicates to a small degree the isolation code in `desktop_native`, that only covers `main` - but not renderer. I intend to explore other solutions for mac / windows, which are better rolled out via `desktop_native` behind a feature flag first, but we could apply the same approach long-term. (On windows we can achieve something similar via DACL: https://github.com/niluxv/secmem-proc) ## 📸 Screenshots ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

github.com/bitwarden/clients

[BEEEP/PM22828] Enable ptrace prevention on Linux (except snap)

main ← km/beeep/prevent-memory-dumps

opened 07:59AM - 16 Jun 25 UTC

quexten

+11 -4

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-22828 ## 📔 Object…ive This enables the previously experimental setting of `PR_SET_DUMPABLE` to disable ptrace (memory dump & debugger) access for all release builds except snap. On snap there is still a portal bug that prevents using portals (i.e file access) when setting the process to undumpable. In contrast, flatpak portals work fine with this enabled. ## 📸 Screenshots ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

github.com/bitwarden/clients

[PM-26340] Add linux biometrics v2

main ← km/linux-biometrics-v2

opened 10:15AM - 30 Sep 25 UTC

quexten

+143 -2

## 🎟️ Tracking https://bitwarden.atlassian.net/browse/PM-26340 ## 📔 Object…ive This PR implements biometrics v2 for Linux: - https://github.com/bitwarden/clients/pull/16187 - https://github.com/bitwarden/clients/pull/16432 this PR does not yet make use of the implemented module. That is added in a follow-up PR. The user key is now held in the encrypted memory store (introduced in https://github.com/bitwarden/clients/pull/16659) after first unlock. The key of the memory store is protected from memory dumping via either of: - `memfd_secret` - `keyctl` - `PR_SET_DUMPABLE=0` (all systems except snap) - System settings: `kernel.yama.ptrace_scope` (default on at least ubuntu, soon expanding) only if all of the above methods are unavailable is the memory store key dumpable by other userspace processes (which in turn would make the userkey decryptable). ## 📸 Screenshots ## ⏰ Reminders before review - Contributor guidelines followed - All formatters and local linters executed and passed - Written new unit and / or integration tests where applicable - Protected functional changes with optionality (feature flags) - Used internationalization (i18n) for all UI strings - CI builds passed - Communicated to DevOps any deployment requirements - Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

github.com/bitwarden/clients

apps/desktop/desktop_native/core/src/secure_memory/dpapi.rs

e7fd8a0a4

use std::collections::HashMap;

use windows::Win32::Security::Cryptography::{
    CryptProtectMemory, CryptUnprotectMemory, CRYPTPROTECTMEMORY_BLOCK_SIZE,
    CRYPTPROTECTMEMORY_SAME_PROCESS,
};

use crate::secure_memory::SecureMemoryStore;

/// https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata
/// The DPAPI store encrypts data using the Windows Data Protection API (DPAPI). The key is bound
/// to the current process, and cannot be decrypted by other user-mode processes.
///
/// Note: Admin processes can still decrypt this memory:
/// https://blog.slowerzs.net/posts/cryptdecryptmemory/
pub(crate) struct DpapiSecretKVStore {
    map: HashMap<String, Vec<u8>>,
}

impl DpapiSecretKVStore {

This file has been truncated. show original

Neuron5569 · December 23, 2025, 3:32am

Congrat and thanks! This is something that can definitely be bragged about, with pieces that can be followed up to learn more. All 3 platforms, and that’s with different implementations. Awesome!