Millions of users of popular password managers may be exposed to security risks, according to research published today by ETH Zürich. A study of Bitwarden, Lastpass, and Dashlane – collectively serving approximately 60 million customers – revealed significant vulnerabilities that undermine the core security promises made by these providers.
The companies market their services with “Zero Knowledge Encryption,” a claim that user data is encrypted in a way that prevents even the service providers themselves from accessing it. Researchers from the Applied Cryptography Group at the Institute for Information Security at ETH Zürich demonstrated this guarantee is misleading. They conducted 25 distinct attack simulations – twelve against Bitwarden, seven against Lastpass, and six against Dashlane – successfully accessing and manipulating stored passwords.
“We were surprised by how large the security gaps are,” said Kenneth Paterson, a professor of computer science at ETH Zürich, in a statement accompanying the release of the findings. The researchers anticipated a higher security standard given the sensitive nature of the data managed by password managers, including credentials for bank accounts and credit cards.
The vulnerabilities stem from the complexity of these systems, researchers found. Providers continually add user-friendly features, such as password recovery options and family account sharing, which inadvertently create new attack vectors. Many services also continue to rely on outdated encryption technologies dating back to the 1990s, with providers hesitant to implement updates for fear of disrupting customer access to their data, according to the study.
The research team simulated compromised servers and demonstrated that attackers could not only access stored passwords but also alter them through standard user interactions – such as logging in, opening the vault, or synchronizing data. Matilda Backendal of the Università della Svizzera italiana in Lugano, who co-led the study, explained, “The promise is that even if someone can access the server, this does not pose a security risk to customers. We were able to show that This represents not true.”
ETH Zürich notified the affected companies prior to publication, providing a 90-day window to address the identified issues. Professor Paterson advises users to select a provider that is transparent about security vulnerabilities and undergoes independent security audits. The study is scheduled to be presented at the USENIX Security 2026 conference.
According to SWI swissinfo.ch, Kenneth Paterson stated that these vulnerabilities make password managers a likely target for hacker attacks.
