If you use a cloud-based password manager—and you probably should—you've likely seen the term "zero-knowledge encryption" on the marketing page. The promise is straightforward: your passwords are encrypted on your device before they ever reach the company's servers, and the provider has no ability to see what's inside your vault. Even if their servers were breached, your credentials would remain safe.

New research suggests that promise deserves more scrutiny.

A team of cryptography researchers from ETH Zurich has published a paper examining the security architectures of three widely used cloud-based password managers: Bitwarden, LastPass, and Dashlane. What they found is that, under certain conditions, a compromised server could allow an attacker to recover—or even modify—stored passwords, despite the zero-knowledge encryption guarantee.

What the Researchers Actually Found

The study, titled "Zero Knowledge (About) Encryption," was conducted by Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth Paterson from the Applied Cryptography Group at ETH Zurich. The paper has been accepted at USENIX Security 2026, one of the top academic security conferences.

The researchers analyzed Bitwarden, LastPass, and Dashlane—three services that collectively serve over 60 million users and hold roughly 23% of the password manager market. They identified a total of 25 distinct attacks across the three products:

  • Bitwarden: 12 attacks
  • LastPass: 7 attacks
  • Dashlane: 6 attacks

According to the researchers, "the attacks range in severity from integrity violations to the complete compromise of all vaults in an organization," and "the majority of the attacks allow the recovery of passwords."

How the Attacks Work

The key concept is the "malicious server" threat model. The researchers set up their own servers that behaved like a compromised password manager server—one that, following a breach, deviates from expected behavior when interacting with users' browsers or apps.

The attacks didn't require any exotic techniques. The researchers found that normal, everyday interactions—logging into an account, opening a vault, viewing passwords, or syncing data between devices—gave the malicious server enough opportunities to exploit weaknesses in the cryptographic implementations.

"The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable," said researcher Matilda Backendal. "We have now shown that this is not the case."

The vulnerabilities fell into four categories:

  • Key escrow mechanisms used for vault recovery
  • Item-level vault encryption weaknesses
  • Sharing feature design flaws
  • Legacy cryptographic support

The underlying design weaknesses included missing key authentication, lack of authenticated encryption, poor key separation, and continued support for outdated cryptographic methods. These allowed attackers who could tamper with server-stored data to manipulate encryption keys, metadata, or ciphertext.

Kenneth Paterson noted that the team "was surprised by the severity of the security vulnerabilities." While they had previously discovered similar weaknesses in other cloud-based services, they had expected a higher standard from password managers given the sensitivity of the data they protect.

What "Zero Knowledge" Actually Means (and Doesn't)

One of the paper's most important findings isn't technical—it's definitional. The researchers point out that "zero-knowledge encryption" has no industry-accepted definition. It's a marketing term, not a cryptographic standard.

In proper cryptographic terminology, "zero knowledge" refers to a specific class of mathematical proofs where one party can prove they know something without revealing the information itself. What password managers mean when they say "zero knowledge" is something different: that their servers store your data in encrypted form and they don't hold the decryption key.

That's a meaningful distinction. The actual security guarantee depends entirely on how the encryption is implemented—the protocol design, key management, authentication mechanisms, and handling of legacy code. The ETH Zurich research demonstrates that even with encrypted data and server-side key separation, design weaknesses in these areas can undermine the intended protection.

For organizations evaluating password management solutions, this is a valuable reminder that security claims on a marketing page aren't the same as independently verified security guarantees. We covered the importance of evaluating vendor security claims in our piece on the shared responsibility model for data protection.

How the Vendors Responded

The researchers followed responsible disclosure practices, contacting all three vendors before publication and giving them 90 days to address the findings.

Dashlane patched an issue where a server compromise could have allowed a downgrade of the encryption model. The fix involved removing support for legacy cryptographic methods in Dashlane Extension version 6.2544.1, released in November 2025.

Bitwarden published a response acknowledging the research. The company stated that the study focused on a hypothetical "fully malicious server" scenario, that most findings were categorized as medium or low impact, and that all identified issues have been addressed. Bitwarden emphasized that it has never suffered a breach.

LastPass said its security team was "grateful for the opportunity to engage with ETH Zürich," though it noted that "our own assessment of these risks may not fully align with the severity ratings assigned by the ETH Zürich team."

1Password, which was included as an additional comparison point in the study, said it reviewed the research and found it doesn't describe any attacks not already documented in the company's own security design white paper.

Paterson noted that "for the most part, the providers were cooperative and appreciative, but not all were as quick when it came to fixing the security vulnerabilities."

Why This Matters for LastPass Users Specifically

For organizations using LastPass, these findings arrive in a complicated context. The company is still dealing with the fallout from its 2022 data breach, where attackers obtained encrypted copies of customer password vaults affecting more than 25 million users. As we covered in our article on the latest LastPass phishing campaign, consequences from that breach have continued to materialize—including an estimated $35 million in cryptocurrency thefts linked to cracked vaults through 2025.

The ETH Zurich research adds a new dimension to that picture. While the 2022 breach highlighted the risk of offline vault cracking (where an attacker tries to guess master passwords against stolen encrypted data), this research shows that even without stealing vault data, a compromised server could extract passwords through normal user interactions.

These are different attack surfaces, but they point to the same fundamental concern: the security of a password manager depends on far more than whether the vault data is encrypted.

Should You Stop Using Password Managers?

No. And the researchers themselves are clear on this point.

"Don't stop using password managers," the team wrote. "Using a password manager is probably the single most effective action you can take to strengthen your security."

They also added important context: "All of our attacks presume a malicious server. We have no reason to believe that the password manager vendors are currently malicious or compromised, and as long as things stay that way, your passwords are safe."

This isn't a reason to abandon password managers. It's a reason to understand what they protect against and what they don't—and to layer your security accordingly. We explored the broader case for strong credential management in our piece on what businesses still get wrong about password security.

What Organizations Should Take Away from This

For business owners and IT decision-makers, this research reinforces several practical considerations:

Evaluate Your Password Manager's Architecture

Not all password managers are built the same way. Some use a single master password as the sole protection for vault data. Others, like 1Password, use a dual-factor approach with both an account password and a separate Secret Key. The differences in architecture affect what happens in a worst-case scenario. Understanding your provider's security model—beyond the marketing language—is worth the effort.

Keep Software Updated

Some of the vulnerabilities identified in this research have already been patched. Dashlane, for example, addressed its legacy cryptography issue months before the paper was published. But patches only help if they're actually installed. Ensure that browser extensions and desktop applications are set to update automatically, and verify that updates are being applied across your organization.

Layer Your Defenses

A password manager is one layer of security, not a complete solution. Multi-factor authentication on critical accounts means that even if a password is somehow compromised, attackers still face an additional barrier. We discussed the practical value of MFA in our article on common MFA implementation mistakes.

Monitor for Breaches

If your password manager provider discloses a breach or vulnerability, take it seriously and act promptly. The LastPass experience showed that delayed response to a breach can have consequences that compound over years. Having an incident response process—even a simple one—makes a meaningful difference. We outlined the fundamentals in our piece on why you need a cyber attack response plan.

Stay Current on Password Best Practices

The broader password security landscape continues to evolve. NIST updated its password guidelines significantly, moving away from forced rotation and complexity requirements in favor of longer passphrases and breach detection. We covered those changes in our article on the latest NIST password guidelines. Keeping your organization's policies aligned with current standards reduces risk regardless of which password manager you use.

The Bigger Picture

This research doesn't mean password managers are broken. It means the marketing around them has, in some cases, overstated what their encryption architectures actually guarantee. "Zero knowledge" sounds like an ironclad promise—but the security of any system depends on the details of its implementation, not the label on the box.

For businesses, the practical lesson is familiar: no single tool eliminates risk. Password managers significantly reduce the likelihood of credential-related breaches by solving the problems of password reuse, weak passwords, and insecure storage. Those benefits are real and substantial. But they work best as part of a layered security approach—one that includes MFA, employee training, breach monitoring, and a clear response plan.

The ETH Zurich team's work is a reminder that trust in security products should be informed by evidence, not just reassuring marketing language. And that's a principle worth applying well beyond password managers.

This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified cybersecurity professionals to evaluate their specific password management needs and develop appropriate security policies.