New study finds security gaps in Bitwarden, LastPass, and Dashlane

Skye Jacobs

Posts: 1,979   +58
Staff
WTF?! Cloud password managers have sold a simple promise for years: total security through "zero-knowledge encryption." But a new analysis from researchers at ETH Zurich shows that even the most respected products – Bitwarden, LastPass, and Dashlane – don't live up to that claim. Despite marketing that guarantees only users can access their passwords, the study found flaws that could allow compromised servers expose or even alter sensitive data stored in supposedly sealed vaults.

The research, led by ETH Zurich's Applied Cryptography Group, tested core encryption systems in the three most widely used cloud password managers. Together, these services manage credentials for roughly 60 million users – an enormous share of the market.

Using what they describe as a "malicious server threat model," the researchers simulated hacked servers capable of behaving abnormally during client interactions such as logins or data syncs. The results were sobering: 12 successful attacks against Bitwarden, seven against LastPass, and six against Dashlane.

In many cases, the team achieved full access to passwords and account data, demonstrating how attackers could manipulate ordinary user actions to breach vaults.

Professor Kenneth Paterson, who heads the ETH Zurich group, said the vulnerabilities were more severe than expected. His team had uncovered similar issues in other cloud-based applications, but assumed password managers – given their role as digital safes for credential data – had developed stronger safeguards.

Instead, they found systems built around encryption architectures that gave servers too much influence over the decryption process.

According to doctoral student Matteo Scarlata, one reason for these architectural weaknesses lies in the tension between security and convenience. Password manager developers aim to keep user experience as smooth as possible, offering features such as account recovery and family sharing.

But those conveniences introduce complexity, which expands the attack surface. "Such attacks do not require particularly powerful computers or servers – just small programs capable of impersonating the server," Scarlata said.

Paterson's group provided the affected companies 90 days to patch the vulnerabilities before publicly disclosing their results. Most vendors responded cooperatively, though some were slow to address underlying issues.

The researchers noted that developers are often reluctant to overhaul encryption systems out of fear that customers could lose access to their stored data – a risk particularly concerning for enterprise clients managing employee credentials across organizations. Many providers therefore continue relying on cryptographic frameworks dating back to the 1990s, long considered obsolete in academic circles.

The ETH team is now pushing for modernization. Scarlata recommends a hybrid transition model that would bring new customers onto updated architectures while allowing existing users to migrate voluntarily with full awareness of the risks. Future systems, the researchers argue, should default to modern end-to-end encryption and undergo consistent third-party auditing.

Despite serious flaws, the researchers emphasize that password managers remain valuable tools for managing the hundreds of credentials most users face. Paterson advises users to favor services that are open about their security limitations and subject to independent review. The ultimate goal, he said, isn't to discredit the technology but to force greater transparency and more robust design principles across the industry.

Permalink to story:

 
I’ve said this numerous times on here… DO NOT put your passwords all in one place online - especially a password manager!!

ANYTHING you put online WILL be compromised eventually. Don’t make it easy for hackers.

Make a different password for every account you have - doesn’t have to be crazy strong (but not something a simple word-list can be used to crack) as when a site is inevitably hacked, it will be compromised eventually even if it’s 100 random characters.

If your memory is failing, use a piece of paper to write them down - just don’t label it “passwords” and don’t leave it in an easy to find place.
 
Well, among the many there are, I use Password Wallet Sync (both on Android and Windows) which is based on OneDrive and therefore intrinsically secure unless you breach OneDrive's security.
 
Stay out of the clouds!! There could be a storm in there.

Use KeePass, it's highly rated and totally OFFLINE.

It's also not in the browser, so a hacked browser doesn't get your passwords.

As well, its auto-type feature sends the characters to the browser as if they were typed in so a hacked browser can't find the passwords that way either.
 
I’ve said this numerous times on here… DO NOT put your passwords all in one place online - especially a password manager!!

ANYTHING you put online WILL be compromised eventually. Don’t make it easy for hackers.

Make a different password for every account you have - doesn’t have to be crazy strong (but not something a simple word-list can be used to crack) as when a site is inevitably hacked, it will be compromised eventually even if it’s 100 random characters.

If your memory is failing, use a piece of paper to write them down - just don’t label it “passwords” and don’t leave it in an easy to find place.
Security.org password checker says my 32 character passwords would take 3 hundred billion quinquagintillion years to crack. The universe is 'only' 13.8 billion years old.
 
Security.org password checker says my 32 character passwords would take 3 hundred billion quinquagintillion years to crack. The universe is 'only' 13.8 billion years old.
Yeah... assuming that the site you used it on hasn't been hacked and "accidentally" left your pw in plaintext (or an easily decrypted file of some sort)... all it takes is one... then your password is added to a wordlist and can be cracked in seconds from any site...
 
Stay out of the clouds!! There could be a storm in there.

Use KeePass, it's highly rated and totally OFFLINE.

It's also not in the browser, so a hacked browser doesn't get your passwords.

As well, its auto-type feature sends the characters to the browser as if they were typed in so a hacked browser can't find the passwords that way either.
Downloaded KneePass, will check it out.
 
Password managers are not safe? Nooo! Say it ain't so!

Users of password managers are fools to themselves..
 
Yeah... assuming that the site you used it on hasn't been hacked and "accidentally" left your pw in plaintext (or an easily decrypted file of some sort)... all it takes is one... then your password is added to a wordlist and can be cracked in seconds from any site...
Yep, there's no way to protect it if a breach occurs, however as soon as I find it out about such a breach I will change my password. Even knowing that one won't get them my other 336 passwords stored in KP. The odds of duping a random 32 character password is about once in a 9.38 hundred billion trillion centuries. ;):laughing::scream:
Full disclosure: Some entries are not passwords, just things I want to remember; they are just notes to me.
 
Yep, there's no way to protect it if a breach occurs, however as soon as I find it out about such a breach I will change my password. Even knowing that one won't get them my other 336 passwords stored in KP. The odds of duping a random 32 character password is about once in a 9.38 hundred billion trillion centuries. ;):laughing::scream:
Full disclosure: Some entries are not passwords, just things I want to remember; they are just notes to me.
Hence my "change your passwords frequently"... rarely will a site actually let you know if they get compromised - that only happens when they have no choice...
 
Back