Millions of users relying on cloud-based password managers like LastPass and Bitwarden may not be receiving the security assurances promised by their providers, according to new research from ETH Zurich and the Università della Svizzera italiana (USI) in Switzerland. The study, released on February 17, 2026, identified vulnerabilities in the systems that could allow attackers to access user vaults and steal or alter credentials.
Researchers discovered 27 vulnerabilities across four popular password managers: Bitwarden, LastPass, Dashlane, and 1Password. Bitwarden was found to be susceptible to the most attacks – 12 – followed by LastPass with seven, Dashlane with six, and 1Password with two. The vulnerabilities center around four key areas: key escrow, vault encryption, sharing features, and backwards compatibility.
A significant concern highlighted in the research focuses on key escrow flaws, specifically vulnerabilities in account recovery features. Password managers often store copies of a user’s encryption keys to facilitate account recovery if the master password is lost or forgotten. However, the study found instances where these keys could be accessed without proper authentication, potentially allowing a hacker to manipulate the recovery process and gain access to a user’s vault. LastPass was found to have one such vulnerability, while Bitwarden had three.
The research challenges the “zero knowledge” claims made by many password manager providers, including Bitwarden, Dashlane, and LastPass. These companies assert that their encryption systems are designed so that even they, as the service providers, cannot access user data stored in the vaults. Bitwarden, for example, states that “not even the team at Bitwarden can read your data (even if we wanted to).” Dashlane similarly claims that without a user’s master password, “malicious actors can’t steal the information, even if Dashlane’s servers are compromised.” LastPass asserts that no one can access vault data except the user themselves.
“The promise is that even if someone can access the server, this does not pose a security risk to customers,” explained Matilda Backendal of the Università della Svizzera italiana in Lugano. “We have now been able to show that this is not the case.”
The research team notified the affected password manager companies 90 days prior to publication to allow them time to address the vulnerabilities. While the companies have been cooperative, the pace of remediation has varied. Bitwarden responded to the findings with a blog post emphasizing the benefits of its open-source architecture, which allows for third-party security audits. The company stated it has never experienced a security breach and views external security evaluations as essential for maintaining a high level of security.
Researchers have proposed that password manager companies upgrade the cryptographic systems used for new customers and offer existing customers the option to migrate to the more secure system. They also recommend users choose password managers that openly disclose security vulnerabilities, undergo external audits, and enable end-to-end encryption by default.
The findings raise concerns about the security of the over 60 million users and 125,000 businesses that rely on these password managers. The vulnerabilities discovered could allow attackers to alter and steal credentials, potentially leading to significant financial and data breaches.
