Bold claim first: your password manager might not be as trustworthy as you think, even when it promises zero-knowledge protection. Now, here’s why that matters and what changes this could demand from you and the industry.
A team of researchers from ETH Zurich and Università della Svizzera italiana (USI) tested three widely used password managers—Bitwarden, LastPass, and Dashlane—against the idea of zero-knowledge encryption. The core premise of zero-knowledge is simple: your master password and vault data are encrypted on your device, with the vendor’s servers acting only as a storage depot for encrypted data. If the servers are hacked, the attackers shouldn’t be able to read your secrets. The study, however, found that all three vendors exhibited flaws that could expose encrypted passwords when servers were compromised.
Among the trio, Bitwarden showed the most vulnerabilities in the researchers’ tests, with 12 distinct attack scenarios that could breach its open-source implementation. LastPass faced seven successful attacks, and Dashlane six. These aren’t classic “remote-exploit” hacks targeting individual users; rather, they probe how well the platforms protect secrets when the server itself is compromised and attackers can manipulate the server environment.
In practical terms, the attacks often allowed the researchers to retrieve encrypted passwords from the vault, and in some cases even alter the stored entries. The team used a malicious-server model to imitate a hacked backend, observing that seven of Bitwarden’s 12 breaches led to password disclosure, while LastPass and Dashlane saw fewer such outcomes.
All three vendors tout zero-knowledge encryption, but none openly spells out the precise threat model they defend against. The researchers highlighted that many attacks rely on routine user actions—logging in, opening the vault, syncing data—as well as more complex maneuvers like key rotations, organizational onboarding, sharing credentials, or even clicking a deceptive prompt. While estimating how often users perform these actions is challenging, the researchers argue that a large user base means some users will likely trigger these scenarios.
The full paper contends that password managers have not been subjected to as much rigorous academic scrutiny as other end-to-end encrypted services, such as secure messaging apps. Part of the reason may be the belief that password managers are comparatively simple—derive a key, then encrypt data. In reality, their codebases are intricate, supporting features like family-shared accounts and multiple backward-compatible encryption formats.
Kenneth Paterson, a computer science professor at ETH Zurich, stated that the vulnerabilities’ severity surprised the researchers. He noted that end-to-end encryption is still relatively new in commercial services, and detailed examinations hadn’t been widely conducted before.
A central recommendation from the researchers is to ensure new users are automatically brought onto the latest cryptographic standards. One obstacle to upgrading older systems is the fear of losing existing users’ secrets in the process. Some vendors maintain legacy formats for backward compatibility, which adds complexity to the codebase.
Their suggested path forward: onboard all new users with the latest cryptographic standards, while giving current users the option to migrate or stay with older protections, clearly informing them of the risks involved. In Paterson’s words, the aim is to spur industry-wide change and to stop promising security without clearly stating what is truly guaranteed.
Vendor responses varied but tended to be constructive. Dashlane acknowledged the research and confirmed it had fixed the most critical issue that could lead to password disclosure under a fully compromised server, issuing a dedicated security advisory about cryptography downgrades tied to legacy formats. Bitwarden emphasized that it has never been breached and welcomed external audits as a path to stronger security, thanking ETH Zurich for the collaboration. LastPass expressed appreciation for the research, noted that its own risk assessment may differ from the researchers’ severity ratings, and reported that it has implemented several near-term hardening measures while planning longer-term remediation aligned with the evaluated risk.
Importantly, the researchers believe these weaknesses likely extend beyond the three tested vendors and may already be known to sophisticated threat actors, including state-backed groups.
If you’re curious how this affects your daily security habits, consider this: even with zero-knowledge promises, a password manager’s security depends on how up-to-date the cryptography is, how well it handles updates for existing users, and how clearly providers communicate what they can and cannot guarantee. With that in mind, you might broaden your approach to security—regularly update your tools, enable modern multi-factor authentication, monitor for phishing attempts, and be cautious about actions that can trigger more complex cryptographic operations.
What do you think: should password-managing services be required to migrate all users to the latest cryptography by default, even if it risks vault access during the transition? Or is offering a clear migration path with explicit risk disclosures the better balance? Share your stance in the comments.
