A new study from ETH Zurich is causing some serious re-evaluation of the use of cloud-based password managers, as the researchers found an assortment of vulnerabilities in three of the most popular choices. This range of vulnerabilities make a similar range of known attacks possible, up to a dozen with the most readily compromised option.
The researchers examined how Bitwarden, LastPass and DashLane would hold up to communication with a malicious server attempting to unlock user secrets. The research indicates the “zero-knowledge encryption (ZKE)” protocol frequently implemented by password managers for convenience is not nearly as robust as true end-to-end encryption (E2EE), and repeatedly shows vulnerability to certain categories of attack.
Security fundaments of cloud-connected password managers may be shaky
As the study notes, the majority of password managers are now cloud-based for user convenience in moving between different devices as well as having shared accounts at work or with friends and family. That generally means the use of ZKE authentication instead of E2EE, with the password managers storing the passwords on local servers but promising to have no visibility into them on their end. In addition, these companies usually advertise full security against breaches of their own servers as the attackers would similarly not be able to unlock the encrypted passwords that they are holding.
The ETH Zurich research finds those claims about ZKE do not hold up so well, at least for a sample size of three of the biggest and most recognized password managers on the market. The researchers found that each could be breached by an assortment of four broad categories of attack type. While each of the password managers was subject to a different collection of specific vulnerabilities, each could also be compromised in several different ways: six in total for DashLane, seven for LastPass and a whopping 12 for Bitwarden.
The key to all of these attacks is connecting the password managers to a hacked malicious server, which the researchers simulated. All of the attacks would also only require the user to perform routine actions such as logging in to the software, opening or viewing their vaults, or syncing data between devices. These vulnerabilities are also present in an assortment of other cloud-based services, but the researchers had set out assuming that password managers would have an expected higher level of security.
The researchers believe that, as happens so often, user-friendliness is conflicting with security and convenience for the users is tending to win out. The researchers ethically disclosed the vulnerabilities to the various providers of the password managers 90 days ahead of publication, and report that while all three were responsive not all of the vulnerabilities had been addressed by the time the study was made public.
User convenience, worries about updates breaking device compatibility are limiting security of password managers
The three password managers studied here are far from the totality of those available, but they are a good representative sample as they have some 60 million global users between them and collectively make up just shy of a quarter of the market. Though the study did not subject it to the same rigors, it noted that 1Password (about 15 million users) is additionally potentially vulnerable to two of the attack categories examined in the study. 1Password has responded to the study by claiming it has not found any new attack vectors and that its Secure Remote Password (SRP) provides substantial additional protection against server-side attacks.
One issue common to nearly all of the password managers is the insistence upon keeping legacy encryption methods available for the convenience of users that do not want to modernize older files or systems, some dating back to the 1990s in some cases. One category of attack made possible by a server compromise is a “downgrade” of the encryption model used to generate keys, converting it to something that more modest hardware could crack or that might be vulnerable to other known approaches. DashLane began phasing out legacy encryption methods for this reason in November 2025 and recently issued a patch to shore up potential remaining holes.
Though 1Password fared the best out of the companies that were tested, it was forthcoming about “architectural limitations” in cloud-based password managers always creating at least some level of security risk (the company has previously disclosed expected risks of this type in a Security Design Whitepaper).
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity at Suzu Labs, notes that there is a certain level of user action and awareness required for safe use of these services and that it is largely absence of this that opens the door for these types of exploitation: “It is important to note that these attacks still require normal user actions. Someone has to log in, sync, accept an organization invite, or trigger a recovery flow. The researchers exploited design choices around account recovery, sharing, backwards compatibility, and legacy key handling, not the underlying encryption. The crypto itself holds up. The problem is how keys are exchanged, trusted, and downgraded. The ETH Zurich team noted that some of these vendors are still relying on cryptographic approaches from the 1990s to maintain backwards compatibility, and that complexity is what creates the opening. The study also shows clear differences between vendors. 1Password held up better because it adds a high-entropy secret key alongside the master password.”
“The researchers noted that combination should put brute-force attacks out of reach. Products that lean more heavily on the master password alone have a larger attack surface. All vendors have been notified and remediation is underway, but the researchers cautioned that the risks likely extend to other cloud-based password managers beyond those studied. The steady drumbeat of breaches across industries still means strong, unique passwords matter more than ever. There is no realistic way to maintain hundreds of strong passwords without some form of vault management. This research should push the industry toward better design and clearer threat modeling. Organizations should favor providers that explain their architecture in plain terms and have had external review,” added Krell.

