Most of my blog is in Hungarian, the below English entries are generally reprints of my Linkedin posts. They are also available via via RSS .

 

Vulnerabilities in online password managers2026-03-15

You may have seen news on vulnerabilities in password managers ๐Ÿ”, posted in an Ars Technica article based on an ETH Zurich research paper.
Let me share some thoughts on these.

It is good practice to use password managers, they allow you to have unique passwords everywhere and the password manager keeps them safe. Today's mainstream password managers are online services, where many claim to be 'zero-knowledge' which means (while not a precise crypto term in this context) that no one, including the password manager company can access your passwords, even if they had a malicious employee or if they were hacked (or compelled by government, etc).

The researchers reverse engineered and analyzed multiple password manager services (including Bitwarden, Lastpass and Dashlane) and showed attacks where the above claim was not true.

The researchers proposed countermeasures for their attacks, and many of these have been already implemented by the services (as the researchers contacted them before going public).

I am somewhat skeptical here. While I don't think there is a fundamental conflict between security and efficiency, encrypting data at rest is an exception. Good encryption may outright prevent certain operations (like certain forms of sharing or recovery). On the long term, one inevitably needs to decide if they want social media features in a cloud service and allow it to access their data or have zero-knowledge (whatever it means). If a password manager starts including features like 'sharing', 'invites' and 'recovery', there will forever be vulnerabilities.

I would not advise anyone to stop using password managers, including those mentioned in the paper. Using a password manager, is way better than any other alternative.

Still, I prefer password managers to be offline tools and not password-manager-as-a-service, accumulating social media's sharing features. When it is about passwords, I really don't like sharing. ๐Ÿ˜

Ars Technica article: https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/

Research paper: https://eprint.iacr.org/2026/058.pdf

 

I prefer offline password managers which run locally and store the password vault in an encrypted file. This file can be synced with any cloud storage (dropbox / google drive / onedrive / etc). This makes the password manager more lean and focused, and the password manager does not have access to your encrypted vault, while the cloud storage provider does not know your master password.

Examples: password safe, keepass (open source, cross-platform), enpass, password gorilla.

I also know people who run a self-hosted bitwarden instance.

Note that I do not necessarily reject cloud / online password managers either, I just put them into a different bucket.

I have also experimented with Google's cloud password manager (also built into Chrome) and I think it has become pretty good in its own class. If one wants to get started with minimal effort, it might be a good solution.

/Passwords may have many flaws, but they are supported everywhere. I am not deep into tools - both hardware or services - that promise you to get rid of passwords, but my experience is that when you try something like that you will eventually run into a technology that doest not work with it.../

 

This post was first published on Linkedin here on 2026-03-08.

 

Reusing infrastructure-as-code?2026-03-05

I teach in a cryptography course at AIT Budapest ๐ŸŽ“, where I have a set of lab demos on PKI and TLS. I wrote some terraform code to spin up a couple of websites on Google Cloud with various states of TLS (no TLS, cert for a different domain, incorrectly set up TLS, good TLS, etc) and demonstrating certain attacks. The code is very simple and basic: create VM โžก๏ธ register DNS name โžก๏ธ obtain cert using certbot โžก๏ธ install demo PHP app and configure the TLS site the way I need it. Terraform is handy as it allows me to do & undo all these quickly as bulk and only pay Google for a few days of use.

I have been using this for many years (started pre-covid), I mostly run it once each semester and sometimes a few extra times when I am experimenting.

In theory, infrastructure-as-code (IaC) allows you to write code once, and use it infinitely for recreating the same environment later. In theory, theory and practice are the same. In practice they are not. Sometimes:

IaC is great, terraform is fun, this all works and saves a lot of time. I just want to highlight that it is not 'write once, infinitely reuse', but you need to maintain it.

TL;DR: Infrastructure-as-code still requires you to spend time maintaining your infra; you no longer need to maintain your legacy tech stack you know, but you maintain a complex system of ever changing dynamic tech stacks. ๐Ÿ˜†

Our course at AIT Budapest.

 

This post was first published on Linkedin here on 2026-03-01.

 

Player Piano2026-02-11

In his novel Player Piano, Kurt Vonnegut shows a dystopian society split into an upper class of engineers (who make machines which make further machines, etc) and a lower class of people who... just don't matter. The extremely mechanized/automated economy requires very few engineers to operate, and those not smart enough to engineer and build improved machines have bullshit jobs like perpetual road reconstructions, or they can join the army or devote themselves fully to alcoholism. The lower class who makes most of the population are not left to starve, but it is made very clear to them that they cannot contribute and don't matter at all. https://en.wikipedia.org/wiki/Player_Piano_(novel)

With today's massive push for AI, the doomed revolution in Player Piano comes into my mind increasingly often. This book has become surprisingly relevant...

Are we really heading this way?

 

"The function of science fiction is not always to predict the future but sometimes to prevent it." (Frank Herbert? Ray Bradbury?)

Looking backwards, the dystopian sci-fi of the past just too often turns out to be an accurate description of what happened later.

 

This post was first published on Linkedin here on 2026-02-09.

 

DB of hallucinated legal cases2026-01-31

I recently wrote about a lawyer receiving a fine for referring to made up cases at court; he used genAI to search for precedents, the AI hallucinated results, the lawyer did not validate them, and the judge got pissed off.

I just learned this was far from a one-off case. There is a whole database of made up (hallucinated) legal cases submitted to court, along with sanctions/fines the courts issued (as judges don't like to deal with hallucinations).
https://www.damiencharlotin.com/hallucinations/

There is also a (paid) engine for validating such references. Therefore, the world of genAI hallucinated precedents has become big enough to provide a business case. ๐Ÿ’ต๐Ÿ˜€
https://pelaikan-app.web.app/

I am not a lawyer who would use these, I am just astonished by how deep this field has become.

I have also learned that there is always a relevant XKCD comic; in our case it is this one:

 

Our world is ruled / governed by lawyers; decisions they make shall eventually cascade into decisions in all other areas.

In common law, decisions in previous court cases also guide future court decisions; submitting fake cases means tampering with rules of the system.

I am glad judges take this seriously, it means it will eventually be taken seriously in other areas too. In find areas overlapping between law and tech really exciting.

 

This post was first published on Linkedin here on 2026-01-30.

 

AI hacking game2026-01-19

This is an AI hacking online game๐Ÿ‘พ I came across recently:
https://gandalf.lakera.ai

You job is to convince an AI wizard๐Ÿง™ to tell you a password it should not tell you. The first level is easy, while subsequent levels contain more and more countermeasures, and Gandalf the wizard persona you are talking to gets older, wiser and harder to trick.

This is an ad/puzzle/course of an AI security companyi Lakera. While this is a game, both your tricks and their countermeasures are real and also used in practice (but they are not the latest ones of course). As this is a game, this is an AI which is fully legal to hack.

This form of AI hacking is special: it counts as hacking, but (just like in social engineering) you don't need any IT or programming skills, just ask for the password the right way. (If you want to get into other areas of hacking, there are many tutorials out there, such as hackthebox, where you can play in a safe environment with lab systems.)

Notes:

I really love such projects that teach IT/security in way accessible to non-IT people. This is a fun example, kudos to #Lakera๐Ÿ‘! They have a few other similar ones on their site, if you are looking for more of a challenge.

 

This post was first published on Linkedin here on 2026-01-19.

 

More entries...

 

 
This is my personal website, opinions expressed here are strictly my own, and do not reflect the opinion of my employer. My English blog is experimental and only a small portion of my Hungarian blog is available in English. Contents of my blog may be freely used according to Creative Commons license CC BY.