Vulnerability of Password Managers ETH Zurich researchers have found 25 significant flaws in Dashlane, LastPass, and Bitwarden, the three most popular cloud-based password managers This article explores vulnerability password managers. . Because of these vulnerabilities, a malicious server can get around zero-knowledge encryption claims and gain unauthorized access to, alter, and retrieve user passwords and vault data.

Together, Bitwarden, LastPass, and Dashlane provide services to more than 60 million users and have a sizeable market share. Under a fully malicious server threat model, in which servers stray from protocols at will, the analysis focuses on their client-server interactions. The researchers show recurring shortcomings in confidentiality and integrity protections, despite vendors' claims of "zero-knowledge encryption," which suggests servers cannot access plaintext vaults even if they are compromised.

Impact of Attack Ref Product Cause on Client Interaction Bitwarden BW01 Absence of Key Substitution and Key Author Complete compromise of the vault One joins BW02. Bitwarden Important Substitution Complete compromise of the vault One turn Bitwarden BW03 Absence of Key Substitution and Key Author Complete compromise of the vault One dialogue (LP01) Complete vault compromise due to LastPass's lack of key authentication One BW04 login Bitwarden Absence of Auth Enc Read and edit the BW05 Bitwarden metadata Absence of Key Sep BW06: Field/item swapping Bitwarden Absence of Key Sep Confidentiality loss One BW07 is open. Bitwarden Absence of Authorship Enc Absence of brute-force defense One LP02 login LastPass Lack of Auth Enc Field/item swapping – LP03 LastPass Lack of Key Sep Loss of confidentiality 1 open LP04 LastPass Lack of Auth Enc No brute-force protection 1 login LP05 LastPass Absence of Auth Enc Vault Integrity Loss - DL01 Dashlane Absence of Key Sep Vault integrity loss - BW08 Bitwarden Absence of Key Author Add people to organizations 1 BW09 sync Bitwarden Absence of Key Auth and Key Substitution Organization compromise One joins LP07.

LastPass Absence of Key Author compromise of a shared vault 1 join Dashlane DL02 Absence of Key Auth compromise in the shared vault Join BW10 Bitwarden. Absence of Auth Enc Key hierarchy downgrade: BW11 Bitwarden CBC Assistance Confidentiality loss Two logins Bitwarden BW12 CBC Assistance Complete compromise of the vault Two logins DL03 Dashlane CBC Assistance Vault integrity loss 104 DL04 syncs Dashlane CBC Encouragement Absence of brute-force defense 104 DL05 syncs Dashlane CBC Assistance Confidentiality breach 105 syncs DL06 Dashlane 104 syncs LP06 LastPass Lack of Auth Enc Read/modify metadata CBC Support No brute-force protection Several attacks exploit unauthenticated public keys, lack key separation, and legacy AES-CBC support, requiring little interaction, such as a single login or sync.

For example, passwords are made public through client requests in icon URL decryption leaks (BW06, LP03). Brute-force can be accelerated by up to 300,000x using KDF iteration downgrades (BW07, LP04). Hierarchies of Attack Researchers responsibly shared their findings: With 90-day remediation windows, Bitwarden will launch on January 27, 2025; LastPass on June 4, 2025; and Dashlane on August 29, 2025.

LastPass fixed LP03; Dashlane resolved some CBC issues; Bitwarden advanced fixes for a number of issues, including minimum KDF iterations and CBC removal.