ETH Zurich's deep-dive into the world's top password managers exposes how feature overload and legacy design obscure real security flaws, forcing a rethink of what "zero knowledge" actually means for your vault. Learn why recent fixes matter—and why open source may be your safest bet.

• CA's warn us to urgently prepare for the inevitable.
• Three U.S. states attempt to ban 3D printed firearms.
• Denied ransom, ShinyHunters leaks 967,000 personal details.
• "Billions" of U.S. social security numbers leaked.
• Is Apple planning to add cameras to three new gadgets.
• No more security fixes for Firefox on Windows 7 & 8.
• Russia blocks the official Linux kernel site they need.
• Will the U.S."freedom.gov" site post EU blocked content.
• LLM's will offer secure passwords. Do Not Use Them.
• As predicted, the "ClickFix" attack strategy takes over.
• A listener believes his computer is compromised.
• How could three popular password managers get things wrong.

Show Notes - https://www.grc.com/sn/SN-1066-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• guardsquare.com
• bitwarden.com/twit
• zscaler.com/security
• hoxhunt.com/securitynow
• material.security

How secure are your Chrome extensions and certificate signings really? This episode pulls back the curtain on a massive spyware discovery and exposes the convoluted hoops developers must jump through to prove their identity in 2026.

• Websites can place high demands upon limited CPU resources.
• Microsoft appears to back away from its security commitment.
• What's Windows 11 26H1 and where do I get it.
• Chrome 145 brings Device Bound Session Credentials.
• More countries are moving to ban underage social media use.
• The return of Roskomnadzor.
• Discord to require proof of adulthood for adult content.
• Might you still be using WinRAR 7.12 -- I was.
• Paragon's Graphite can definitely spy on all instant messaging.
• 30 malicious Chrome Extensions.
• 287 Chrome extensions from spying on 37.4 million users.
• The first malicious Outlook add-in steals 4000 user's credentials.
• Some AI "vibe" coding thoughts.
• What I just went through to obtain a new code signing certificate

Show Notes - https://www.grc.com/sn/SN-1065-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• canary.tools/twit - use code: TWIT
• joindeleteme.com/twit promo code TWIT
• meter.com/securitynow
• zscaler.com/security
• hoxhunt.com/securitynow

From EU fines that never get paid to cyber warfare grounding missiles mid-battle, this week's episode uncovers the untold stories and real-world consequences shaping today's digital defenses.

• How is the EU's GDPR fine collection going.
• Western democracies are getting serious about offensive cybercrime.
• The powerful cyber component of the Midnight Hammer operation.
• Signs of psychological dependence upon OpenAI's GPT-4o chatbot.
• CISA orders government agencies to unplug end-of-support devices.
• How to keep Windows from annoying us after an upgrade.
• What is OpenClaw, how safe is it to use, what does it mean.
• Another listener uses AI to completely code an app.
• Coinbase suffers another insider breach. What can be done

Show Notes - https://www.grc.com/sn/SN-1064-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• zscaler.com/security
• hoxhunt.com/securitynow
• trustedtech.team/securitynowCSS
• guardsquare.com