TL;DR: That "zero knowledge" promise your password manager makes? ETH Zurich researchers just poked 25 holes in it. Bitwarden, LastPass, and Dashlane all failed tests that simulated a compromised server. In the worst cases, attackers could grab your actual passwords: not encrypted blobs, but the plaintext. Vendors are patching, but some fixes are moving slowly. If you use these tools, update everything now. The research drops at USENIX Security 2026.

The Promise vs. The Reality

Password managers sell themselves on one key promise: even if hackers breach their servers, your passwords stay safe. "Zero knowledge encryption" means the company never sees your master password or your vault contents. Only you can decrypt it.

That's the sales pitch. Researchers from ETH Zurich and Università della Svizzera italiana decided to test it.[1]

They built malicious servers that mimicked what hackers would do if they compromised Bitwarden, LastPass, or Dashlane. Then they watched what happened when normal users did normal things: logging in, syncing passwords, sharing credentials with family.

"We were surprised by the severity of the security vulnerabilities," said Kenneth Paterson, Professor of Computer Science at ETH Zurich. "No one had ever examined it in detail before."[2]

They found 25 distinct attacks. Some exposed metadata. Some broke encryption. Some revealed actual passwords in plaintext.[1]

The Damage by Provider

Researchers tested the three major cloud password managers. Combined, they hold 60 million users and 23% of the market.[3]

Bitwarden: 12 attacks

  • 7 attacks led to actual password disclosure
  • Vulnerable to key escrow exploitation through account recovery
  • Legacy code enables downgrade attacks
  • 3 issues classified as "intentional design decisions" and left unpatched[4]

LastPass: 7 attacks

  • 3 attacks resulted in password exposure
  • Key escrow mechanism compromises confidentiality
  • Item-level encryption creates metadata leakage
  • Vendor says their risk assessment "may not fully align" with researchers[2]

Dashlane: 6 attacks

  • 1 attack caused password disclosure
  • Backward compatibility with legacy code enables downgrades
  • Patched issues in Extension version 6.2544.1 (November 2025)[4]

The researchers also noted that 1Password has known architectural limitations around item-level encryption and sharing, but treated these as documented rather than newly discovered.[4]

How the Attacks Work

The attacks fall into four categories:[1][4]

1. Key Escrow Exploitation

Password recovery features store backup keys. A compromised server can hijack the recovery process and grab your vault encryption key. Affects Bitwarden and LastPass.

2. Item-Level Encryption Flaws

Instead of encrypting your entire vault as one blob, these managers encrypt each password separately. The metadata between items (which fields exist, how items relate) isn't protected. Attackers can swap fields between entries, leak metadata, and downgrade encryption strength.

3. Sharing Feature Exploits

Family sharing and organization features expand the attack surface. A malicious server can intercept shared credentials or manipulate the sharing handoff to compromise vault integrity.

4. Legacy Backward Compatibility

Old encryption code sticks around so longtime users don't lose access. But attackers can force your client to use the weaker legacy encryption instead of modern standards. Affects Bitwarden and Dashlane.

Most attacks require only routine user actions: logging in, viewing a password, syncing across devices. You wouldn't know anything was wrong.[3]

Why Zero Knowledge Falls Apart

The fundamental problem: password managers want to be both secure and convenient. Features like password recovery, account sharing, and family vaults all require design compromises.[3]

Each feature adds complexity. Complexity creates what researchers called "confusing code architecture": places where attackers can slip through without needing sophisticated computational resources.[3]

"Due to the large amount of sensitive data they contain, password managers are likely targets for experienced hackers," Paterson noted.[3]

The irony: the features designed to make password managers more accessible also make them less secure.

What the Vendors Say

Researchers gave vendors 90 days to fix issues before publication. Responses varied:[2][3][4]

Dashlane moved fastest. They removed legacy cryptography supporting downgrade attacks and patched the browser extension in November 2025.

Bitwarden fixed 7 of 12 issues but classified 3 as "intentional design decisions necessary for product functionality." They also emphasized they've "never been breached."

LastPass acknowledged findings but said their risk assessment "may not fully align" with researchers' severity ratings. They're "actively strengthening integrity guarantees" but didn't specify timelines.

The main hesitation across vendors: updating encryption systems risks disconnecting existing customers from their stored credentials. Breaking people's access to their passwords is bad for business.[3]

What You Should Do Now

No evidence of real-world exploitation exists yet.[4] But these vulnerabilities are now public knowledge. Here's your action plan:

  1. Update everything. Make sure your password manager browser extension and apps are on the latest version. Dashlane users need version 6.2544.1 or newer.
  2. Strengthen your master password. If a server gets compromised, your master password is the last line of defense. Make it long, 20+ characters. Make it unique.
  3. Enable hardware keys. YubiKey or similar FIDO2 keys add a layer that server compromises can't touch.
  4. Audit recovery options. If you set up email-based account recovery years ago, consider whether you still need it. Fewer recovery options = smaller attack surface.
  5. Consider local-only storage. Tools like KeePassXC store vaults locally. No cloud server to compromise. Trade-off: syncing is on you.
  6. Watch for updates. This research publishes at USENIX Security 2026. More details will emerge. Vendors may issue additional patches.

The Bigger Picture

Password managers are still better than reusing passwords across sites. That hasn't changed.

But "zero knowledge" isn't magic. It's a marketing term wrapped around real engineering trade-offs. When vendors add recovery features and sharing and family plans, they're adding attack surface.

The researchers' recommendation: new users should get modern cryptographic standards by default. Existing users should be able to migrate voluntarily, with clear warnings about what they're giving up if they stay on legacy systems.[3]

Whether vendors actually implement that... we'll see.

Sources

  1. Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers - IACR ePrint Archive
  2. Password managers don't protect secrets if pwned - The Register, February 16, 2026
  3. Password managers less secure than promised - ETH Zurich, February 2026
  4. Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers - The Hacker News, February 2026