Your passwords might not be as safe as you think. A shocking new study reveals that some of the most popular cloud-based password managers—Bitwarden, Dashlane, and LastPass—are vulnerable to a staggering 25 password recovery attacks. But here's where it gets controversial: these vulnerabilities could potentially expose not just individual accounts, but entire organizational vaults. Should we still trust these tools with our most sensitive information?
Researchers from ETH Zurich and Università della Svizzera italiana uncovered these flaws by examining the zero-knowledge encryption (ZKE) promises made by these password managers. ZKE is a cryptographic technique that allows one party to prove they know a secret without revealing it. Sounds foolproof, right? Not quite. The study found that under certain conditions, malicious actors could exploit weaknesses in the system, ranging from integrity violations to full-scale vault compromises. And this is the part most people miss: these attacks aren’t just theoretical—they’re practical and could have real-world consequences.
Here’s the breakdown: Bitwarden faced 12 distinct attacks, LastPass seven, and Dashlane six. These vulnerabilities fall into four main categories:
1. Key Escrow Exploits: Attackers can compromise the confidentiality guarantees of Bitwarden and LastPass by exploiting their account recovery mechanisms.
2. Flawed Item-Level Encryption: Poorly encrypted data items and metadata can lead to integrity violations, leakage, and even key derivation function downgrades.
3. Sharing Feature Vulnerabilities: Sharing passwords or vaults can inadvertently expose sensitive information.
4. Legacy Code Backdoors: Backward compatibility with outdated code opens the door to downgrade attacks in Bitwarden and Dashlane.
But it doesn’t stop there. 1Password, another major player, was also found vulnerable to item-level vault encryption and sharing attacks. However, the company argues these are known architectural limitations, not new threats. Jacob DePriest, 1Password’s Chief Information Security Officer, assured users that their security architecture is continually evolving to counter advanced threats, including malicious-server scenarios.
So, what’s being done? Bitwarden, Dashlane, and LastPass have all implemented countermeasures. For instance, Dashlane patched a critical issue that allowed encryption downgrades, while LastPass is hardening its admin password reset workflows. Bitwarden has resolved or is actively addressing seven of the identified issues, with the remaining three deemed necessary for product functionality.
But here’s the million-dollar question: Are these fixes enough, or is the very foundation of cloud-based password managers inherently flawed? With over 60 million users and nearly 125,000 businesses relying on these tools, the stakes couldn’t be higher. Let’s spark a debate—do you still feel secure using these password managers, or is it time to explore alternative solutions? Share your thoughts in the comments below!
