Password Managers Less Secure Than Promised
AnonTechie writes:
[Source]: ETH Zurich (Eidgenossische Technische Hochschule Zurich)
Researchers from ETH Zurich have discovered serious security vulnerabilities in three popular, cloud-based password managers. During testing, they were able to view and even make changes to stored passwords.
People who regularly use online services have between 100 and 200 passwords. Very few can remember every single one. Password managers are therefore extremely helpful, allowing users to access all their passwords with just a single master password.
Most password managers are cloud based. A major advantage this offers users is the ability to access their passwords from different devices and also share them with friends and family members. Security is the most important feature of these password managers since, ultimately, users store sensitive data in these encrypted storage platforms, commonly called "vaults". This can also include login details for online banking or credit cards.
Most service providers therefore promote their products with the promise of "zero-knowledge encryption". This means they assure users that their stored passwords are encrypted and even the providers themselves have "zero knowledge" of them and no access to what has been stored. "The promise is that even if someone is able to access the server, this does not pose a security risk to customers because the data is encrypted and therefore unreadable. We have now shown that this is not the case", explains Matilda Backendal.
The team conducted a study to scrutinise the security architecture of three popular password manager providers: Bitwarden, Lastpass and Dashlane. Between them, they serve around 60 million users and have a 23 per cent market share. The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass and 6 on Dashlane.
[Journal Reference]: https://eprint.iacr.org/2026/058 (Cryptology ePrint Archive)
Read more of this story at SoylentNews.