A landmark academic study has cast a harsh light on the security foundations of widely-used password managers, revealing significant vulnerabilities that could undermine the very trust millions of users place in these critical tools. Researchers from ETH Zurich and Università della Svizzera italiana uncovered a total of 25 distinct password recovery attacks impacting prominent services such as Bitwarden, Dashlane, LastPass, and, to a lesser degree, 1Password. These platforms serve a vast user base, encompassing over 60 million individuals and nearly 125,000 businesses, which underscores the widespread potential impact of the security flaws. The study’s authors detailed a spectrum of consequences, ranging from minor integrity violations within a user’s digital vault to the complete and catastrophic compromise of every password stored by an entire organization. Critically, the researchers emphasized that the majority of these identified vulnerabilities could be exploited by a sophisticated attacker to recover the actual passwords users have entrusted to the services for safekeeping, challenging the core security promises made by these companies.
A Deliberate Test of Digital Vaults
The central premise of the research operated under a specific and highly relevant threat model: the assumption of a malicious server. This approach simulated a scenario where an attacker has successfully compromised the password manager’s own server infrastructure, a “worst-case” but plausible situation for any cloud service. This method was deliberately chosen to rigorously test the “zero-knowledge encryption” (ZKE) promises that are a cornerstone of these services’ security marketing and a primary reason users trust them with their most sensitive data. ZKE is a cryptographic principle designed to ensure that data is stored in a fully encrypted format, rendering it accessible only to the end-user who holds the unique decryption key, which is typically derived from their master password. In theory, this architecture prevents the service provider—or any malicious actor who seizes control of the provider’s servers—from accessing or decrypting the user’s sensitive vault data. The study’s objective was to determine if these ZKE implementations could truly withstand such a hostile server environment and live up to their security claims.
The study further clarified the crucial distinction between zero-knowledge encryption and the more commonly understood end-to-end encryption (E2EE). While E2EE is primarily concerned with securing data during its transit between a user’s device and the server, ZKE focuses specifically on the secure storage of that data at rest on the company’s servers. The “zero-knowledge” aspect guarantees that the service provider remains entirely ignorant of the contents stored within a user’s vault, a fundamental tenet of their privacy and security posture. By simulating an attack from the server-side, the researchers were able to bypass the protections of E2EE and directly assault the ZKE model. This allowed them to probe for architectural weaknesses, implementation errors, and cryptographic misconceptions that would only become apparent when the server itself is no longer a trusted entity. The findings ultimately challenged the robustness of the very systems designed to protect user data even if the provider’s infrastructure were to be completely breached.
Common Vulnerabilities and Systemic Weaknesses
The investigation uncovered a series of common design anti-patterns and fundamental cryptographic misconceptions across the different platforms, which were ultimately responsible for the identified vulnerabilities. These systemic flaws were grouped into four principal categories, revealing shared weaknesses in how these services were architected. The first major area of concern involved the exploitation of key escrow mechanisms. Both Bitwarden and LastPass were found to have vulnerabilities in their account recovery systems, which are designed to help users regain access if they forget their master password. Unfortunately, these features contained design flaws that a malicious server actor could exploit to undermine the confidentiality guarantees of the user vaults, effectively compromising the stored secrets they were meant to protect. A second, more prevalent issue was the practice of flawed item-level encryption. Many services encrypted individual data items, like a single password entry, as separate, disconnected objects, often using unencrypted or unauthenticated metadata alongside them, creating significant security gaps.
This architectural choice of handling individual vault items as disconnected objects was a recurring theme that created multiple avenues for attack. An attacker with server control could exploit this separation to execute a variety of sophisticated attacks beyond simple data theft. These included integrity violations, where an attacker could maliciously modify data without being detected, and metadata leakage, which could expose sensitive information about the stored items even if the items themselves remained encrypted. Furthermore, the researchers demonstrated the feasibility of field swapping attacks, where an attacker could maliciously reorder fields within a credential entry, potentially tricking a user into submitting sensitive information to the wrong place. Perhaps most critically, this flaw allowed for Key Derivation Function (KDF) downgrades. By manipulating the unauthenticated settings, an attacker could force the system to use a much weaker algorithm for generating the user’s encryption key, dramatically reducing the complexity required to crack the master password through brute-force methods.
More Paths to Compromise
Beyond flaws in data storage and recovery, the study also identified the functionalities that allow users to share passwords and other credentials as another significant attack surface. Vulnerabilities discovered within these sharing mechanisms could be manipulated by a malicious server to compromise both the integrity and the confidentiality of user vaults. An attacker could potentially intercept or alter shared secrets, gaining unauthorized access to sensitive information as it was being transferred between users. In another critical finding, the need to maintain backwards compatibility with older versions of their software introduced serious vulnerabilities in the cases of Bitwarden and Dashlane. This legacy support, while intended to ensure a smooth user experience for those on older clients, allowed for potent downgrade attacks. A malicious server could exploit this compatibility to force a user’s client application to revert to using older, less secure cryptographic methods, thereby weakening the overall security of their vault and making it far more susceptible to compromise by modern cracking techniques.
The research specifically noted that 1Password, while generally more resilient, was still susceptible to a subset of attacks related to its item-level vault encryption and credential sharing features. However, the company’s response framed these issues differently from its competitors. In a statement, 1Password indicated that it views these findings not as new, undisclosed vulnerabilities but rather as known architectural limitations that have already been documented and explained in its public-facing Security Design White Paper. This position suggests a different philosophy toward transparency and risk acceptance, where certain trade-offs are acknowledged openly. Jacob DePriest, 1Password’s CISO, emphasized the company’s ongoing commitment to evolving its security architecture and pointed to existing mitigations, like the use of the Secure Remote Password (SRP) protocol. He explained that SRP authenticates users without ever transmitting their encryption keys to the company’s servers, a design choice that inherently mitigates entire classes of server-side threats of the kind explored in the study.
Hardening Security for the Future
In the wake of the study’s disclosure, all the implicated vendors took or were in the process of taking remedial action, and it was important to note that no evidence suggested these vulnerabilities had been exploited in real-world attacks. Dashlane moved swiftly to patch a critical issue that could have allowed a malicious server to execute a downgrade attack on the encryption model used for user vaults, a vulnerability directly resulting from its support for legacy cryptography. This fix, which completely removed support for the older, insecure methods, was deployed in Dashlane Extension version 6.2544.1, released in November 2025. Bitwarden also confirmed that it was actively addressing all the issues raised by the researchers. The company stated that of the vulnerabilities identified, seven had either been fully resolved or were currently undergoing active remediation, demonstrating a commitment to hardening its platform against the newly discovered attack vectors. However, Bitwarden also noted that the remaining three issues were accepted as intentional design decisions, deemed necessary to enable certain product functionalities. This highlighted the complex balance companies must strike between security and usability.