Password managers aren’t always safe: Study exposes zero-knowledge gaps
New study shows some password managers may be vulnerable when account recovery or sharing features are active
Password managers are often seen as a safe place for your most sensitive data, but a new study suggests that even the most popular services may not be as foolproof as users think.
Researchers from ETH Zurich and USI Lugano uncovered methods that could let attackers access vaults in widely used platforms like Bitwarden, Dashlane, and LastPass.
Are password managers trustworthy?
Password managers store sensitive data like passwords, payment cards, and cryptocurrency keys, and billions of users rely on their “zero-knowledge” encryption. The study examined how account recovery, sharing, and legacy support features could be exploited to access encrypted vaults.
Companies like Bitwarden, Dashlane, and LastPass promise that no one can read a user’s vault. Bitwarden, for example, says, “Not even our team can read your data.” But the researchers discovered scenarios where server control or compromised keys can give attackers access.
Key recovery for groups, account rotation, and shared vaults were among the features exploited. One attack could let an adversary read and modify vault contents if an organisation enables automatic recovery for new members. LastPass and Dashlane had similar vulnerabilities linked to administrative keys and shared vault encryption.
Companies continue to defend their security practices despite the results they have obtained. The four companies Bitwarden, LastPass, Dashlane and 1Password declared that their products undergo routine security audits and penetration testing along with bug bounty programmes.
1Password's company security lead, Jeff Shiner, said, “Zero-knowledge encryption means no one but you can access your data. Our systems are tested against advanced threat models, including malicious-server scenarios.” According to the research, vulnerabilities exist, and they are only present in certain conditions, and overall use remains secure for the users.
The study shows that password managers fail to provide complete security. The users must enable multi-factor authentication while they need to select their account recovery methods, and they should keep their applications updated.
-
End of digital decay? Scientists find a new way to preserve data that could outlive civilisations -
Google Gemini App adds Lyria 3 AI music generation for text, photo and video prompts -
Sam Altman says AI will replace jobs but humans will find better work -
eBay acquires Depop for $1.7b as it seeks to expand in the fast-growing resale market to reach Gen Z, Millennials -
Meta’s AI data centre deal with Nvidia puts pressure on Intel and AMD -
French supermarkets deploy AI to catch shoplifters as privacy debate looms -
Former Google CEO warns US is running out of electricity: Here’s why -
US State department plans ‘freedom.gov’ portal to bypass european content bans