Password managers' zero-knowledge claims fail under academic scrutiny

Researchers from ETH Zurich and Università della Svizzera italiana have exposed critical vulnerabilities in three leading password managers that claim to offer "zero-knowledge encryption" protection for user credentials.

The academic team tested Bitwarden, LastPass, and Dashlane by simulating malicious server compromises to evaluate whether these services could truly protect user secrets when their infrastructure is breached. Their findings reveal that all three products failed to deliver on their core security promises.

How the attacks worked

The researchers employed a "malicious server model" approach, setting up servers that mimicked compromised versions of the password managers' infrastructure. Unlike traditional vulnerability exploits targeting individual users, these attacks tested the fundamental security architecture of each service.

Bitwarden proved most vulnerable, with 12 distinct attack vectors successfully extracting encrypted passwords. LastPass suffered seven successful attacks, while Dashlane had six. In most cases, attackers could retrieve encrypted credentials and, in some instances, modify user entries entirely.

The zero-knowledge encryption problem

Zero-knowledge encryption theoretically ensures that even if a password manager's servers are compromised, attackers cannot access user passwords because encryption happens client-side before data reaches the server. The server merely stores encrypted blobs without the decryption keys.

However, the researchers discovered that all three vendors failed to implement this protection adequately. Seven of Bitwarden's successful attacks led to password disclosure, compared to three for LastPass and one for Dashlane.

The attacks exploited routine user interactions - logging in, opening vaults, viewing items, or performing data synchronization. More complex scenarios involved key rotations, joining organizations, sharing credentials, or interacting with misleading dialogs.

Vendor responses and fixes

Dashlane responded most comprehensively, acknowledging the findings and publishing a detailed security advisory. The company confirmed it had fixed the most serious vulnerability that could lead to password disclosure through encryption downgrade attacks.

"Dashlane has fixed an issue that, if Dashlane's servers were fully compromised, could have allowed a downgrade of the encryption model used to generate encryption keys and protect user vaults," the company stated. The vulnerability stemmed from legacy cryptography support maintained for backward compatibility.

Bitwarden emphasized that it "has never been breached" and welcomed the third-party assessment as critical for maintaining state-of-the-art security. The company thanked ETH Zurich for their insights while noting the value of external security research.

LastPass took a more measured approach, stating that while their security team appreciated the opportunity to engage with researchers, their own risk assessment may not fully align with the severity ratings assigned by ETH Zurich. The company confirmed implementation of "multiple near-term hardening measures" while planning longer-term remediation.

Why password managers failed this test

The researchers noted that password managers have largely escaped the rigorous academic scrutiny applied to end-to-end encrypted messaging applications. This oversight occurred partly because password managers appear simpler - deriving keys and encrypting them - but their actual codebases are considerably more complex.

Features like family account sharing and backward compatibility with older encryption standards introduce significant complexity that creates attack surfaces. Some vendors have gone to extreme lengths to support older formats, inadvertently creating vulnerabilities.

Recommendations for the industry

The primary recommendation from the research team is straightforward: ensure all new users are onboarded with the latest cryptographic standards by default. This approach avoids the complexity of maintaining backward compatibility while protecting new accounts from known vulnerabilities.

For existing users, the researchers suggest offering a clear choice between migrating to updated security standards or remaining on legacy systems with full disclosure of associated risks. This transparency would help users make informed decisions about their security posture.

Broader implications

The study raises serious questions about the security claims made by password manager vendors across the industry. The researchers believe the same weaknesses likely affect other providers and cannot rule out that advanced threat actors, including government-backed hackers, may already be exploiting similar vulnerabilities.

Professor Kenneth Paterson of ETH Zurich expressed surprise at the severity of the vulnerabilities discovered, noting that "since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before."

The research underscores a critical gap between marketing claims and actual security implementation in the password management industry, suggesting that users may need to reassess their trust in these services' ability to protect their most sensitive credentials.