According to a recent study, under specific circumstances, a number of cloud-based password managers, such as Dashlane, LastPass, and Bitwarden, are vulnerable to password recovery attacks This article explores encryption zke. . According to researchers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson, "the attacks range in severity from integrity violations to the complete compromise of all vaults in an organization."

"Passwords can be recovered from most attacks." According to the study from ETH Zurich and Università della Svizzera Italiana, the threat actor pretends to be a malicious server and seeks to investigate the password manager's zero-knowledge encryption (ZKE) claims made by the three solutions.

ZKE is a cryptographic technique that enables one party to demonstrate to another that they are aware of a secret without actually disclosing the secret. In particular, Dashlane has fixed a vulnerability that might have permitted a downgrade of the encryption model used to create encryption keys and safeguard user vaults in the event that its servers were successfully compromised. Dashlane Extension version 6.2544.1, which was released in November 2025, resolved the problem by eliminating support for outdated cryptography techniques.

Dashlane warned that "this downgrade could result in the compromise of individual 'downgraded' vault items, as well as a weak or easily guessable Master Password." "The permitted use of legacy cryptography was the cause of this problem.

In some situations, Dashlane supported this legacy cryptography for migration flexibility and backward compatibility.Bitwarden stated that every issue found is being fixed.