Zero-knowledge claims tested: researchers reveal multiple flaws in top password managers

February 17, 2026 at 10:54 PM

•

1 min read

Zero-knowledge claims tested: researchers reveal multiple flaws in top password managers — Photo: Ars Technica

TL;DR Summary

Researchers from ETH Zurich and USI Lugano analyzed Bitwarden, Dashlane, and LastPass and uncovered multiple attack vectors that can enable a compromised or malicious server to read or even modify vaults, especially when account-recovery, group enrollment, key escrow, or backward-compatibility features are enabled. Some attacks could allow theft of entire vaults or selective item data, and even breach older encryption configurations. While vendors defend their security audits and ongoing patching, the study argues that the term “zero-knowledge” can be misleading and urges stronger threat models and resilience measures across password managers.

Topics:business #account-recovery #encryption #password-managers #security #vulnerabilities #zero-knowledge

Share this article

Password managers’ promise that they can’t see your vaults isn’t always true Ars Technica
Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers The Hacker News
Password managers less secure than promised ETH Zürich
Password managers don’t protect secrets if pwned theregister.com
Researchers find critical vulnerabilities in cloud-based password managers iTnews

Reading Insights

Total Reads

Unique Readers

Time Saved

17 min

vs 17 min read

Condensed

97%

3,392 → 91 words

Want the full story? Read the original article

Read on Ars Technica

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights