Password managers aren’t always safe: Study exposes zero-knowledge gaps

Password managers are often seen as a safe place for your most sensitive data, but a new study suggests that even the most popular services may not be as foolproof as users think.

Researchers from ETH Zurich and USI Lugano uncovered methods that could let attackers access vaults in widely used platforms like Bitwarden, Dashlane, and LastPass.

Are password managers trustworthy?

Password managers store sensitive data like passwords, payment cards, and cryptocurrency keys, and billions of users rely on their “zero-knowledge” encryption. The study examined how account recovery, sharing, and legacy support features could be exploited to access encrypted vaults.

Companies like Bitwarden, Dashlane, and LastPass promise that no one can read a user’s vault. Bitwarden, for example, says, “Not even our team can read your data.” But the researchers discovered scenarios where server control or compromised keys can give attackers access.

Key recovery for groups, account rotation, and shared vaults were among the features exploited. One attack could let an adversary read and modify vault contents if an organisation enables automatic recovery for new members. LastPass and Dashlane had similar vulnerabilities linked to administrative keys and shared vault encryption.

Companies continue to defend their security practices despite the results they have obtained. The four companies Bitwarden, LastPass, Dashlane and 1Password declared that their products undergo routine security audits and penetration testing along with bug bounty programmes.

1Password's company security lead, Jeff Shiner, said, “Zero-knowledge encryption means no one but you can access your data. Our systems are tested against advanced threat models, including malicious-server scenarios.” According to the research, vulnerabilities exist, and they are only present in certain conditions, and overall use remains secure for the users.

The study shows that password managers fail to provide complete security. The users must enable multi-factor authentication while they need to select their account recovery methods, and they should keep their applications updated.