109/69 Tuesday, February 24, 2026
A research team from ETH Zurich and the Università della Svizzera italiana, led by Professor Kenneth Paterson, has published alarming findings about popular password management services such as Bitwarden, LastPass, and Dashlane. The study challenges the widely promoted concept of “zero-knowledge encryption”-which claims that service providers cannot access user data-suggesting it may not be completely secure under certain threat models. Researchers demonstrated 27 different attack techniques, showing that if an attacker gains control of a provider’s server, encrypted password vault data could potentially be decrypted.
The most concerning technique involves what researchers call a “malicious server model.” In this scenario, a compromised server sends manipulated instructions to the user’s application, tricking it into leaking sensitive information. One example is the “field swap” vulnerability found in Bitwarden and LastPass, where attackers could swap encrypted password data into the URL field, causing the application to unintentionally expose decrypted credentials when loading website icons. Another issue involves backward compatibility weaknesses, where legacy encryption methods-dating back up to 15 years-could be invoked, enabling attackers to guess passwords byte-by-byte. Additional vulnerabilities were identified in account sharing and recovery mechanisms, potentially allowing attackers to gain decryption privileges for a user’s master key if the system blindly trusts the compromised server.
However, the study found that 1Password demonstrated the strongest resilience among the evaluated services. Its use of a Secret Key-a second factor stored only on the user’s device-makes server-side compromise attacks mathematically impractical, even if the provider’s infrastructure is breached. Following a 90-day responsible disclosure period, Dashlane and Bitwarden have begun releasing patches to address the identified weaknesses. Security experts strongly recommend that users update their password manager applications immediately and, where possible, enable a hardware security key (such as a YubiKey) to add a physical security layer that remote attackers cannot bypass.
Source https://hackread.com/researchers-demonstrate-password-managers-attacks/
