Password manager vulnerabilities uncovered by academic researchers have raised fresh concerns about the security of cloud based vault services. A new study details how weaknesses in several popular password managers could allow attackers to view, extract, or even modify stored credentials.
The findings, published in a peer reviewed paper, outline 27 successful attack scenarios targeting cloud based services from Bitwarden, LastPass, Dashlane and 1Password. Researchers say these password manager vulnerabilities challenge the widely promoted concept of zero knowledge encryption, which claims that service providers cannot access the contents of user vaults.
Researchers Identify Critical Weaknesses
The study was conducted by security experts from ETH Zurich and the Università della Svizzera italiana. Their work examined how cloud password managers implement end to end encryption and whether those systems truly prevent server side compromise from exposing user data.
The password manager vulnerabilities fell into four main categories. These included key escrow flaws, vault encryption weaknesses, insecure sharing mechanisms and backward compatibility issues that allowed encryption downgrades.
In total, researchers documented 12 distinct attacks against Bitwarden, seven against LastPass, six against Dashlane and two against 1Password. Some of the attacks enabled integrity violations, while others allowed full vault compromise within an organization.
One of the most serious findings involved unauthenticated public keys and weak cryptographic binding between metadata and encrypted content. These design flaws could allow an attacker controlling a server to manipulate key material or intercept sensitive information.
Zero Knowledge Encryption Under Scrutiny
Many password managers advertise zero knowledge encryption as a core security feature. This means the provider’s servers should not be able to access vault contents, even if compromised. However, the newly disclosed password manager vulnerabilities suggest that design choices can weaken these guarantees.
Researchers found issues such as insufficient key separation, missing ciphertext integrity and improper authentication of public keys. In some cases, attackers could exploit flawed encryption implementations to downgrade security settings or intercept master keys.
Notably, 1Password was found to have stronger resistance to brute force attacks due to its use of a high entropy secret key in addition to a master password. This additional cryptographic element provides greater protection against certain attack methods.
Malicious Auto Enrolment Attack Explained
One example highlighted in the research involved a malicious auto enrolment attack against Bitwarden. In this scenario, an attacker controlling the server could manipulate the onboarding process when a user joins an organization.
By tampering with security policies and replacing legitimate public keys with forged ones, the attacker could trick the client into encrypting the user’s master key under the attacker’s key. Once decrypted, the attacker would gain full access to the victim’s vault.
With the master key exposed, the attacker could view, alter or delete stored passwords and other sensitive data. Researchers warned that such an attack could scale within organizations if shared keys were compromised.
Vendor Response and Remediation Efforts
The researchers disclosed the password manager vulnerabilities through a coordinated 90 day process. Bitwarden, LastPass and Dashlane confirmed that remediation efforts are underway.
1Password acknowledged the reported issues but indicated they stem from architectural limitations that are already understood. The researchers emphasized that they have no evidence of active malicious activity by any vendor at this time.
They also stressed that passwords remain secure as long as providers are not compromised. However, they cautioned that password managers are high value targets and breaches remain a possibility.
How Users Can Protect Themselves
In light of these password manager vulnerabilities, experts recommend that users stay informed about remediation updates from their providers. Organizations should verify that encryption settings, key management practices and authentication methods meet modern standards.
Users can also ask providers critical questions about public key authentication, integrity guarantees and encryption downgrade protections. Commissioning independent security audits can provide additional reassurance.
While password managers remain an important security tool, this research highlights the need for rigorous cryptographic design and continuous review. As end to end encryption becomes more common in commercial services, ensuring its correct implementation is essential to maintaining trust.
