A core security promise made by leading password managers – that user data remains inaccessible even if their servers are breached – has been called into question by new research. The findings, which examined Bitwarden, Dashlane, and LastPass, reveal potential vulnerabilities that could allow unauthorized access to stored passwords and other sensitive information.
These three companies collectively serve an estimated 60 million users, according to the research, which detailed methods for server administrators, or attackers gaining control of servers, to potentially steal data and, in some instances, entire vaults. The research also identified potential attacks that could weaken encryption, rendering ciphertext readable.
The assurances from these companies have been central to their marketing and user trust. Bitwarden, for example, states that “not even the team at Bitwarden can read your data (even if we wanted to).” Dashlane claims that without a user’s master password, “malicious actors can’t steal the information, even if Dashlane’s servers are compromised.” LastPass asserts that no one can access vault data “except you (not even LastPass).”
The vulnerabilities identified in the research appear to be exacerbated in scenarios involving account recovery features, or when password managers are configured to share vaults or organize users into groups. This challenges the widely promoted “zero knowledge” encryption model adopted by all eight of the top password managers, which aims to ensure that only the user possesses the decryption key.
The increasing reliance on password managers is driven by the growing complexity of online security. As of 2026, approximately 36 percent of US adults – roughly 94 million people – use password managers to store credentials for financial accounts, email, cryptocurrency wallets, and other sensitive data. The need for robust security is particularly acute in the cryptocurrency space, where transactions are irreversible and compromised accounts can lead to permanent financial loss, according to CoinGate.
The findings come amid heightened awareness of security risks associated with password managers. Previous breaches at LastPass have already eroded user confidence, and the potential for state-level actors to target high-value users further underscores the need for rigorous security measures. Vault12 highlights the importance of securing a password manager’s master password, suggesting backing it up securely.
The research highlights the inherent trade-offs between security and usability. Although strong encryption is essential, features like account recovery and sharing introduce potential vulnerabilities that can compromise the “zero knowledge” promise. Crypto Bullseye Zone emphasizes the need for investors to carefully consider password storage methods and choose managers with robust security features.
As of February 25, 2026, Bitwarden, Dashlane, and LastPass have not publicly responded to the specific findings of the research.
