For years, password managers have been promoting themselves as secure vaults that even the provider cannot access. This zero-knowledge principle is intended to reassure users that their most sensitive data will remain protected even in the event of a server breach. However, new academic research casts serious doubt on this promise.
Researchers at ETH Zurich and USI Lugano analyzed several popular password managers and concluded that the claim that providers cannot see users’ vaults does not always hold true.
In specific configurations, someone with server access, for example, after a hack or through abuse of administrative rights, can still view data and sometimes even take over entire vaults. These are not exotic edge cases, but functions that many organizations use.
The study focused on Bitwarden, Dashlane, and LastPass, among others. According to Ars Technica, these managers together account for tens of millions of users. These services publicly state that no one can access stored data without a master password.
According to the researchers, this is only true as long as certain recovery and sharing options remain disabled. As soon as account recovery, group sharing, or support for older clients is used, attack vectors arise.
Attackers can manipulate servers
A major problem lies in the way account recovery is set up. In some products, cryptographic keys are exchanged when adding new users or recovering accounts, without their integrity being properly verified.
An attacker who can manipulate the server can replace those keys with their own. This makes it possible to decrypt encrypted data later. The researchers emphasize that this is not about breaking strong encryption, but about abusing the processes surrounding it.
According to academics, these vulnerabilities are remarkably simple. In their publication, they write that the problems are not particularly profound from a technical point of view, but nevertheless remained undetected for years. They find this remarkable, given the extensive research on password managers and the audits suppliers have conducted. According to them, this indicates there are still blind spots in secure design practice.
It is not only the three products investigated that are at risk. In interviews, the researchers indicated that similar designs are also found in other managers. The only service they explicitly mentioned was 1Password, although they emphasized that the vulnerabilities there also depend on enabled features and configurations.
What does this mean for users? The research does not suggest that password managers are unsafe or should be avoided en masse. However, according to Ars Technica, it makes clear that zero knowledge is not an absolute guarantee but a design goal based on assumptions. As soon as those assumptions are broken, for example, through account recovery or shared vaults, the threat model shifts. For organizations and critical users, it is therefore wise to carefully consider which features are really necessary and what additional risks they introduce.