Table of Contents
- Is Your Password Manager Actually Safe After the Latest ETH Zurich Security Findings?
- Password Manager Security: A Critical Look at the ETH Zurich Findings
- The Reality of “Zero Knowledge” Claims
- Breakdown of Vulnerabilities
- Bitwarden
- LastPass
- Dashlane
- Vendor Response and Your Next Steps
- Advisory Recommendation
Is Your Password Manager Actually Safe After the Latest ETH Zurich Security Findings?
Based on the comprehensive security study conducted by ETH Zurich in February 2026, serious vulnerabilities affecting the “Zero Knowledge” architecture of Bitwarden, LastPass, and Dashlane have been identified.
Password Manager Security: A Critical Look at the ETH Zurich Findings
Millions rely on password managers to secure their digital lives. We trust these tools to safeguard banking credentials and personal data using “Zero Knowledge” encryption. However, recent research from ETH Zurich suggests this trust may be misplaced. A team from the Institute for Information Security has demonstrated that widely used managers like Bitwarden, LastPass, and Dashlane contain critical flaws that could allow attackers to view or modify your passwords.
The Reality of “Zero Knowledge” Claims
Marketing materials for these services often promise that not even the company can access your data. This concept is known as Zero Knowledge encryption. In theory, your master password encrypts everything locally before it reaches the cloud.
The researchers tested this claim against a specific threat: a “malicious server.” They set up servers that mimicked the behavior of a compromised password manager provider. The results were concerning. If a provider’s server were hacked or turned malicious, it could trick your app (the client) into revealing information. The team successfully executed 12 distinct attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane.
Breakdown of Vulnerabilities
The study highlights that these tools often prioritize user-friendly features over strict cryptographic security. Features like account recovery and family sharing introduce complexity that weakens the system.
Bitwarden
Bitwarden faced the highest number of demonstrated attacks. Researchers found issues with key authentication and separation. In one scenario, a malicious server could substitute public keys when a user joined an organization, potentially compromising the entire vault. Other flaws allowed the server to downgrade encryption settings to weaker standards, making brute-force attacks significantly easier.
LastPass
LastPass showed vulnerabilities related to ciphertext integrity. The researchers utilized the older AES-CBC encryption mode still present in the code to manipulate vault data. Because the system lacked proper checks to ensure the encrypted data hadn’t been altered, a malicious server could swap fields or modify items without the user knowing.
Dashlane
Dashlane’s vulnerabilities largely stemmed from how it handled data synchronization and sharing. The team demonstrated “transaction replay” attacks where old data could be forced back onto a user’s device. Like the others, Dashlane also struggled with issues regarding key verification during sharing processes.
Vendor Response and Your Next Steps
The research team practiced responsible disclosure. They notified all three vendors 90 days before publishing their findings. The response was mixed. While vendors were generally cooperative, the speed of their fixes varied.
Bitwarden has released updates addressing key iteration counts and removing some legacy encryption modes.
Dashlane and LastPass have acknowledged the issues and patched specific vulnerabilities, though some architectural risks regarding legacy support remain.
Advisory Recommendation
You do not need to abandon password managers immediately. They remain safer than reusing passwords across sites. However, you should take specific actions to harden your security:
- Update Immediately: Ensure your browser extensions and mobile apps are running the latest versions to apply recent patches.
- Check Iteration Counts: For Bitwarden, verify your KDF (Key Derivation Function) iterations are set to a high number (e.g., 600,000+) to resist brute-force attempts.
- Remain Vigilant: Be aware that “Zero Knowledge” is difficult to implement perfectly in cloud-based systems that also offer convenient recovery features.
The convenience of cloud syncing comes with inherent risks. As this study proves, even industry leaders have architectural blind spots that sophisticated attackers can exploit.