For years, password managers have been touted as a cornerstone of online security, offering a convenient and seemingly foolproof way to protect the ever-growing number of digital accounts most people maintain. But a new wave of research suggests that the “zero knowledge” promise at the heart of many password managers’ marketing isn’t always as airtight as advertised. The core claim – that not even the password manager provider can access a user’s vault – is facing increasing scrutiny, particularly when considering common features like account recovery and shared access.
The rise of password managers has been dramatic. An estimated 94 million US adults – roughly 36 percent of the population – now rely on these tools, storing not just passwords but also sensitive data like cryptocurrency credentials, financial information, and payment card details. This widespread adoption makes the security of these platforms paramount. The “zero knowledge” encryption model was designed to address this need, assuring users that their data remains protected even in the event of a server breach or malicious insider activity.
The Zero Knowledge Claim Under Examination
The concept of “zero knowledge” encryption, as implemented by leading password managers like Bitwarden, Dashlane, and LastPass, aims to ensure that only the user possesses the key to decrypt their vault. Bitwarden, for example, explicitly states that “not even the team at Bitwarden can read your data (even if we wanted to).” Dashlane echoes this sentiment, asserting that without a user’s master password, “malicious actors can’t steal the information, even if Dashlane’s servers are compromised.” LastPass goes further, claiming that no one can access the data within a user’s vault “except you (not even LastPass).”
However, recent research, including work presented at USENIX Security 2026, challenges these assurances. Researchers from ETH Zurich and Università della Svizzera italiana have identified vulnerabilities in Bitwarden, Dashlane, and LastPass that could allow attackers, with control over the server, to potentially steal data or even entire vaults. These attacks aren’t theoretical; they’ve been demonstrated in controlled environments mimicking real-world compromise scenarios. The research uncovered 25 distinct attacks, ranging from metadata exposure to complete decryption of password vaults.
Account Recovery and Shared Access: Points of Vulnerability
The vulnerabilities aren’t necessarily inherent flaws in the core encryption algorithms themselves. Instead, they often stem from features designed to enhance usability, such as account recovery options and the ability to share vaults with family members or colleagues. Account recovery, while convenient, introduces potential backdoors that could be exploited. Similarly, shared vaults and group organization features can weaken the security posture by creating additional access points.
The researchers found that in certain scenarios, attackers could leverage these features to weaken encryption or even obtain passwords in plaintext. This means that, contrary to the “zero knowledge” promise, an attacker gaining control of a password manager’s server could potentially bypass the encryption and access sensitive user data. The implications are significant, particularly given the high-value nature of the information stored within these vaults.
What This Means for Users
The findings don’t necessarily mean that password managers are inherently insecure. They do, however, highlight the importance of understanding the limitations of these tools and taking steps to mitigate potential risks. Users should carefully consider the trade-offs between convenience and security when enabling features like account recovery and shared access. Strong, unique master passwords remain crucial, as does enabling multi-factor authentication wherever possible.
The researchers emphasize that vendors are actively patching the identified vulnerabilities, but the pace of these fixes varies. Users of Bitwarden, Dashlane, and LastPass are strongly advised to update their software to the latest versions as soon as they become available. Staying informed about security updates and best practices is essential for maintaining a strong security posture.
This research serves as a critical reminder that the security landscape is constantly evolving. The “zero knowledge” promise, while a valuable aspiration, isn’t always a guarantee. Users should approach password managers with a healthy dose of skepticism and prioritize security measures that align with their individual risk tolerance. The convenience offered by these tools shouldn’t come at the expense of compromising sensitive data.
The findings also underscore the need for ongoing research and independent security audits of password managers. As these platforms become increasingly central to our digital lives, it’s crucial to ensure that their security claims are backed up by rigorous testing and transparent reporting.
