Your safe has a hole. Password managers lie about security

Researchers from ETH Zurich and USI Lugano analyzed the four most popular password managers – Bitwarden, Dashlane, LastPass and 1Password. The conclusions are quite alarming. These companies have been promising the so-called “zero knowledge” model, i.e. an architecture in which even they themselves do not have access to your passwords in decrypted form. In practice, it turns out that this promise has clear flaws, and in some cases it breaks completely.

Collectively, researchers discovered 27 attack scenarios: 12 on Bitwarden, 7 on LastPass, 6 on Dashlane and 2 on 1Password. Under certain conditions, they succeeded gain access to entire password vaults users, and in some scenarios even save data to them. However, vulnerabilities do not appear under standard use – they are only activated when specific functions are turned onprimarily the mechanisms of the so-called key escrow, which allows you to restore access to the safe after losing the master password.

The technical context is important here. Researchers operated in the so-called malicious server model – their scenario assumes that the attacker has already taken control of the provider’s infrastructure. This is not a vulnerability that a hacker can remotely exploit against your account from outside. Only after the company’s servers are compromised do these vulnerabilities become dangerous. This sounds like a distant scenario – but such attacks on providers have happened in the past, and LastPass itself fell victim to a hack in 2022.

What is most disturbing is not the complexity of the discovered vulnerabilities, but their simplicity. Researchers emphasize that most of the bugs found were relatively easy to exploit – which suggests a lack of sufficient verification of the cryptographic assumptions underlying the entire security model. They also warn that their conclusions are highly probable they concern not only the four analyzed applicationsbut a whole class of similar products.

Producers are already reacting. Dashlane has removed the most serious vulnerability in the November 2025 update. Bitwarden has fixed or actively patched 7 of the 12 identified issues, LastPass has implemented ad hoc security measures, and 1Password has identified two of its cases as known architectural limitations. Importantly – there is no evidence that anyone exploited these vulnerabilities in practice.

What does this mean practically? A password manager is still a better choice than using the same three passwords everywhere. However, it is worth knowing that functions of regaining access to the safe – those that allow you to recover passwords even after losing your master password – work precisely because the provider keeps a copy of your encryption key. And that’s where researchers found gaps. If you don’t need this option, consider turning it off for maximum security, but then you risk losing your data completely if you lose or forget where your password/passkey is.