Full Report
A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions. "The attacks range in severity from integrity violations to the complete compromise of all vaults in an organization," researchers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson said.
Analysis Summary
# Research: Broken Knowledge: Vulnerabilities in Cloud-Based Password Managers
## Metadata
- **Authors:** Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson
- **Institution:** ETH Zurich and Università della Svizzera italiana (USI)
- **Publication:** Reported via ETH News / zkae.io (Academic Pre-publication/Technical Briefing)
- **Date:** February 16, 2026 (Reported)
## Abstract
This research presents a systematic security analysis of three major cloud-based password managers: Bitwarden, Dashlane, and LastPass. By challenging the "Zero-Knowledge Encryption" (ZKE) claims of these vendors, the researchers uncovered 25 distinct attacks. These vulnerabilities range from minor integrity violations to the complete compromise of all vaults within an enterprise organization, primarily enabled by a compromised or malicious service provider server.
## Research Objective
The study aims to evaluate whether the Zero-Knowledge Encryption (ZKE) architectures of leading password managers actually protect user data against a malicious server. It addresses the question: *Can a service provider—or an attacker who has compromised the provider's infrastructure—bypass the cryptographic controls intended to keep user passwords private?*
## Methodology
### Approach
The researchers utilized a "malicious server" threat model. They analyzed the protocols and source code (where available) of the applications to identify design anti-patterns and cryptographic flaws. They then verified these flaws by simulating server-side manipulations of the data sent to the client applications.
### Dataset/Environment
The study focused on the production environments and client-side implementations of:
- **Bitwarden**
- **Dashlane**
- **LastPass**
- *(Secondary analysis of 1Password)*
### Tools & Technologies
- Cryptographic protocol analysis
- Web application security testing
- Reverse engineering of client-side JavaScript and legacy codebases
- Analysis of Key Derivation Functions (KDF) and sharing mechanisms
## Key Findings
### Primary Results
1. **Total Compromise:** Researchers identified 12 attacks against Bitwarden, 7 against LastPass, and 6 against Dashlane.
2. **Recovery Flaws:** Attacks on "Key Escrow" mechanisms (used for account recovery) allow a malicious server to bypass confidentiality protections in Bitwarden and LastPass.
3. **Integrity and Metadata Violations:** Flawed "item-level" encryption allows servers to swap encrypted fields, downgrade security settings (like KDF iterations), or leak sensitive metadata.
4. **Legacy Vulnerabilities:** Maintaining backwards compatibility with older, less secure code introduced downgrade attack vectors in Bitwarden and Dashlane.
### Supporting Evidence
- The researchers demonstrated that by manipulating how the server serves encrypted blobs, they could force a client to reveal credentials or accept tampered data.
- Collectively, these systems protect 60 million users and 125,000 businesses, highlighting the massive scale of the potential impact.
### Novel Contributions
- **ZKE Deconstruction:** The paper formally distinguishes between End-to-End Encryption (E2EE) and Zero-Knowledge Encryption (ZKE) in the context of password managers.
- **Taxonomy of Anti-patterns:** The researchers categorized 25 attacks into four clear architectural failure modes (Key Escrow, Item-level flaws, Sharing flaws, and Legacy compatibility).
## Technical Details
The core of the vulnerability lies in **Cryptographic Misconceptions**. Specifically, many managers encrypt individual items (like a single password) as separate objects rather than the vault as a whole. This often leaves metadata (titles, URLs) unauthenticated. A malicious server can swap the encrypted "ciphertext" of a high-value password into a low-value entry, or purposefully downgrade the PBKDF2 iterations to 1, making the user's master key susceptible to rapid brute-forcing upon the next login.
## Practical Implications
### For Security Practitioners
- **Zero-Knowledge is not Absolute:** Recognize that "zero-knowledge" claims often rely on the integrity of the server-side delivery of the client-side code.
- **Enterprise Risk:** The compromise of a password manager provider can lead to a "cascade failure" across an entire organization’s identity infrastructure.
### For Defenders
- **Hardened Configurations:** Ensure that enterprise policies enforce the highest available encryption standards and KDF iterations offered by the vendor.
- **MFA Importance:** While these attacks target the vault itself, robust Multi-Factor Authentication (MFA) remains a critical layer, though it may not stop server-side vault manipulation.
### For Researchers
- **Verification of Fixes:** Ongoing audits are needed to ensure that the patches deployed by Bitwarden, Dashlane, and LastPass effectively address the architectural roots of these flaws rather than just the symptoms.
## Limitations
- **Malicious Server Model:** These attacks generally require the service provider's server to be compromised or acting maliciously. They are not "remote" attacks that can be executed by a third party without server access.
- **Vendor Response:** The paper notes that vendors have begun implementing countermeasures, meaning some specific vectors may be closed in current versions.
## Comparison to Prior Work
While previous research often focused on memory forensics (recovering passwords from RAM) or local OS vulnerabilities, this study is a significant advancement in **protocol-level analysis** of the interaction between the cloud and the client.
## Real-world Applications
- **Audit Frameworks:** This research provides a roadmap for auditing future "Zero-Knowledge" SaaS products.
- **Product Selection:** Organizations can use these findings to demand more rigorous cryptographic proofs (like SRP—Secure Remote Password) from their vendors.
## Future Work
- **Static Vault Analysis:** Investigating if "offline" vaults stored on disk are susceptible to similar field-swapping attacks.
- **Mobile vs. Desktop:** Comparing the security posture of mobile apps versus browser extensions for the same service providers.
## References
- Scarlata, M., et al. (2026). *Research Website: [https://zkae.io/]*
- 1Password Security Design White Paper: *[https://agilebits.github.io/security-design/]*
- ETH Zurich News: *[https://ethz.ch/en/news-and-events/eth-news/news/2026/02/password-managers-less-secure-than-promised.html]*