A new academic study has revealed 25 password recovery related attacks affecting major cloud password managers, including Bitwarden, Dashlane and LastPass. The research was conducted by experts from ETH Zurich and Università della Svizzera italiana. The researchers said, “The attacks range in severity from integrity violations to the complete compromise of all vaults in an organization.” They added, “The majority of the attacks allow the recovery of passwords.” The study assumes a malicious server model and evaluates the zero knowledge encryption promises made by these platforms.
Zero knowledge encryption is designed to ensure that service providers cannot access user vault data, unlike end to end encryption which protects data in transit. However, the researchers identified 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane. These ranged from targeted vault integrity violations to a full compromise of all vaults within an organization. Together, these services support over 60 million users and nearly 125000 businesses. The researchers noted, “Despite vendors’ attempts to achieve security in this setting, we uncover several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities.”
The attacks fall into 4 broad categories. These include weaknesses in key escrow account recovery mechanisms affecting Bitwarden and LastPass, flaws in item level encryption that expose metadata and enable key derivation function downgrade, misuse of sharing features that impact confidentiality and integrity and downgrade attacks linked to legacy code compatibility in Bitwarden and Dashlane. The study also found that 1Password is vulnerable to item level encryption and sharing attacks, though the company considers them known architectural limitations. A company executive said, “We are committed to continually strengthening our security architecture and evaluating it against advanced threat models.”
In response, Dashlane patched a vulnerability that could have enabled encryption model downgrade through legacy cryptography. The fix was implemented in Extension version 6.2544.1 released in November 2025. Dashlane stated, “This downgrade could result in the compromise of a weak or easily guessable Master Password and the compromise of individual ‘downgraded’ vault items.” Bitwarden said 7 issues have been resolved or are under remediation, while 3 were accepted as design decisions. LastPass confirmed it is strengthening cryptographic integrity controls. There is no evidence that these vulnerabilities have been exploited in real world attacks.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
