{"id":16042,"date":"2026-03-02T12:12:51","date_gmt":"2026-03-02T19:12:51","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=16042"},"modified":"2026-03-02T12:12:51","modified_gmt":"2026-03-02T19:12:51","slug":"password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/03\/02\/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true\/","title":{"rendered":"Password Managers\u2019 Promise That They Can\u2019t See Your Vaults Isn\u2019t Always True"},"content":{"rendered":"\n

On the positive, these exploits will lead to fixes, but as a general rule the family sharing and recovery methods should probably be avoided for now. Keep your encrypted password database secure by only you using it with a strong master password. And if you really want to be paranoid, run your own server for Bitwarden<\/a>, or use KeePassXC<\/a> and sync the database between your devices with Syncthing<\/a> or something similar. And I highly recommend Syncthing, as I use it to sync files between computers, making it easy to do a fresh OS install on any device to easily get up and running with all my files.<\/p>\n\n\n\n

https:\/\/arstechnica.com\/security\/2026\/02\/password-mana<\/a>g<\/a>ers-promise-that-they-cant-see-your-vaults-isnt-always-true\/<\/a><\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n
Contrary to what password managers say, a server compromise can mean game over.<\/h5>\n\n\n\n

By Dan Goodin<\/p>\n\n\n\n

\"\"\/
Credit: Getty Images<\/figcaption><\/figure>\n\n\n\n

Over the past 15 years, password managers have grown from a niche security tool used by the technology savvy into an indispensable security tool for the masses, with an estimated<\/a> 94 million US adults\u2014or roughly 36 percent of them\u2014having adopted them. They store not only passwords for pension, financial, and email accounts, but also cryptocurrency credentials, payment card numbers, and other sensitive data.<\/p>\n\n\n\n

All eight of the top password managers have adopted the term \u201czero knowledge\u201d to describe the complex encryption system they use to protect the data vaults that users store on their servers. The definitions vary slightly from vendor to vendor, but they generally boil down to one bold assurance: that there is no way for malicious insiders or hackers who manage to compromise the cloud infrastructure to steal vaults or data stored in them. These promises make sense, given previous<\/a> breaches<\/a> of LastPass and the reasonable expectation that state-level hackers have both the motive and capability to obtain password vaults belonging to high-value targets.<\/p>\n\n\n\n

A bold assurance debunked<\/h2>\n\n\n\n

Typical of these claims are those made by Bitwarden, Dashlane, and LastPass, which together are used by roughly 60 million people. Bitwarden, for example<\/a>, says that \u201cnot even the team at Bitwarden can read your data (even if we wanted to).\u201d Dashlane, meanwhile, says<\/a> that without a user\u2019s master password, \u201cmalicious actors can\u2019t steal the information, even if Dashlane\u2019s servers are compromised.\u201d LastPass says<\/a> that no one can access the \u201cdata stored in your LastPass vault, except you (not even LastPass).\u201d<\/p>\n\n\n\n

New research shows that these claims aren\u2019t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server\u2014either administrative or the result of a compromise\u2014can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext.<\/p>\n\n\n\n

\u201cThe vulnerabilities that we describe are numerous but mostly not deep in a technical sense,\u201d the researchers from ETH Zurich and USI Lugano wrote<\/a>. \u201cYet they were apparently not found before, despite more than a decade of academic research on password managers and the existence of multiple audits of the three products we studied. This motivates further work, both in theory and in practice.\u201d<\/p>\n\n\n\n

The researchers said in interviews that multiple other password managers they didn\u2019t analyze as closely likely suffer from the same flaws. The only one they were at liberty to name was 1Password. Almost all the password managers, they added, are vulnerable to the attacks only when certain features are enabled.<\/p>\n\n\n\n

The most severe of the attacks\u2014targeting Bitwarden and LastPass\u2014allow an insider or attacker to read or write to the contents of entire vaults. In some cases, they exploit weaknesses in the key escrow mechanisms that allow users to regain access to their accounts when they lose their master password. Others exploit weaknesses in support for legacy versions of the password manager. A vault-theft attack against Dashlane allowed reading but not modification of vault items when they were shared with other users.<\/p>\n\n\n\n

Staging the old key switcheroo<\/h2>\n\n\n\n

One of the attacks targeting Bitwarden key escrow is performed during the enrollment of a new member of a family or organization. After a Bitwarden group admin invites the new member, the invitee\u2019s client accesses a server and obtains a group symmetric key and the group\u2019s public key. The client then encrypts the symmetric key with the group public key and sends it to the server. The resulting ciphertext is what\u2019s used to recover the new user\u2019s account. This data is never integrity-checked when it\u2019s sent from the server to the client during an account enrollment session.<\/p>\n\n\n\n

The adversary can exploit this weakness by replacing the group public key with one from a keypair created by the adversary. Since the adversary knows the corresponding private key, it can use it to decrypt the ciphertext and then perform an account recovery on behalf of the targeted user. The result is that the adversary can read and modify the entire contents of the member vault as soon as an invitee accepts an invitation from a family or organization.<\/p>\n\n\n\n

Normally, this attack would work only when a group admin has enabled autorecovery mode, which, unlike a manual option, doesn\u2019t require interaction from the member. But since the group policy the client downloads during the enrollment policy isn\u2019t integrity-checked, adversaries can set recovery to auto, even if an admin had chosen a manual mode that requires user interaction.<\/p>\n\n\n\n

Compounding the severity, the adversary in this attack also obtains a group symmetric key for all other groups the member belongs to since such keys are known to all group members. If any of the additional groups use account recovery, the adversary can obtain the members\u2019 vaults for them, too. \u201cThis process can be repeated in a worm-like fashion, infecting all organizations that have key recovery enabled and have overlapping members,\u201d the research paper explained.<\/p>\n\n\n\n

A second attack targeting Bitwarden account recovery can be performed when a user rotates vault keys, an option Bitwarden recommends<\/a> if a user believes their master password has been compromised. When account recovery is on (either manually or automatically), the user client regenerates the recovery ciphertext, which as described earlier involves obtaining a new public key that\u2019s encrypted with the organization public key. The researchers denoted the group public key as pkorg<\/sub>. They denote the public key supplied by the adversary as pkadv<\/sup>org<\/sub>, the recovery ciphertext as crec<\/sub>, and the user symmetric key as k\u2032<\/sup>.<\/p>\n\n\n\n

The paper explained:<\/p>\n\n\n\n

\n

The key point here is that pkorg<\/sub> is not retrieved from the user\u2019s vault; rather the client performs a sync operation with the server to obtain it. Crucially, the organization data provided by this sync operation is not authenticated in any way. This thus provides the adversary with another opportunity to obtain a victim\u2019s user key, by supplying a new public key pkadv<\/sup>org<\/sub>, for which they know the skadv<\/sup>org<\/sub> and setting the account recovery enrollment to true. The client will then send an account recovery ciphertext crec<\/sub> containing the new user key, which the adversary can decrypt to obtain k\u2032.<\/sup><\/p>\n<\/blockquote>\n\n\n\n

The third attack on the Bitwarden account recovery allows an adversary to recover a user\u2019s master key. It abuses key connector<\/a>, a feature primarily used by enterprise customers.<\/p>\n\n\n\n

More ways to pilfer vaults<\/h2>\n\n\n\n

The attack allowing theft of LastPass vaults also targets key escrow, specifically in the Teams and Teams 5 versions, when a member\u2019s master key is reset by a privileged user known as a superadmin. The next time the member logs in through the LastPass browser extension, their client will retrieve an RSA keypair assigned to each superadmin in the organization, encrypt their new key with each one, and send the resulting ciphertext to each superadmin.<\/p>\n\n\n\n

Because LastPass also fails to authenticate the superadmin keys, an adversary can once again replace the superadmin public key (pkadm<\/sub>) with their own public key (pkadv<\/sup>adm<\/sub>).<\/p>\n\n\n\n

\u201cIn theory, only users in teams where password reset is enabled and who are selected for reset should be affected by this vulnerability,\u201d the researchers wrote. \u201cIn practice, however, LastPass clients query the server at each login and fetch a list of admin keys. They then send the account recovery ciphertexts independently of enrollment status.\u201d The attack, however, requires the user to log in to LastPass with the browser extension, not the standalone client app.<\/p>\n\n\n\n

Several attacks allow reading and modification of shared vaults, which allow a user to share selected items with one or more other users. When Dashlane users share an item, their client apps sample a fresh symmetric key, which either directly encrypts the shared item or, when sharing with a group, encrypts group keys, which in turn encrypt the shared item. In either case, the newly created RSA keypair(s)\u2014belonging to either the shared user or group\u2014isn\u2019t authenticated. The item is then encrypted with the private key(s).<\/p>\n\n\n\n

An adversary can supply their own key pair and use the public key to encrypt the ciphertext sent to the recipients. The adversary then decrypts that ciphertext with their corresponding secret key to recover the shared symmetric key. With that, the adversary can read and modify all shared items. When sharing is used in either Bitwarden or LastPass, similar attacks are possible and lead to the same consequence.<\/p>\n\n\n\n

Another avenue for attackers or adversaries with control of a server is to target the backward compatibility that all three password managers provide to support older, less-secure versions. Despite incremental changes designed to harden the apps against the very attacks described in the paper, all three password managers continue to support the versions without these improvements. This backward compatibility is a deliberate decision intended to prevent users who haven\u2019t upgraded from losing access to their vaults.<\/p>\n\n\n\n

The severity of these attacks is lower than that of the previous ones described, with the exception of one, which is possible against Bitwarden. Older versions of the password manager used a single symmetric key to encrypt and decrypt the user key from the server and items inside vaults. This design allowed for the possibility that an adversary could tamper with the contents. To add integrity checks, newer versions provide authenticated encryption by augmenting the symmetric key with an HMAC<\/a> hash function.<\/p>\n\n\n\n

To protect customers using older app versions, Bitwarden ciphertext has an attribute of either 0 or 1. A 0 designates authenticated encryption, while a 1 supports the older unauthenticated scheme. Older versions also use a key hierarchy that Bitwarden deprecated to harden the app. To support the old hierarchy, newer client versions generate a new RSA keypair for the user if the server doesn\u2019t provide one. The newer version will proceed to encrypt the secret key portion with the master key if no user ciphertext is provided by the server.<\/p>\n\n\n\n

This design opens Bitwarden to several attacks. The most severe, allowing reading (but not modification) of all items created after the attack is performed. At a simplified level, it works because the adversary can forge the ciphertext sent by the server and cause the client to use it to derive a user key known to the adversary.<\/p>\n\n\n\n

The modification causes the use of CBC (cipher block chaining<\/a>), a form of encryption that\u2019s vulnerable to several attacks. An adversary can exploit this weaker form using a padding oracle attack<\/a> and go on to retrieve the plaintext of the vault. Because HMAC protection remains intact, modification isn\u2019t possible.<\/p>\n\n\n\n

Surprisingly, Dashlane was vulnerable to a similar padding oracle attack. The researchers devised a complicated attack chain that would allow a malicious server to downgrade a Dashlane user\u2019s vault to CBC and exfiltrate the contents. The researchers estimate that the attack would require about 125 days to decrypt the ciphertext.<\/p>\n\n\n\n

Still other attacks against all three password managers allow adversaries to greatly reduce the selected number of hashing iterations\u2014in the case of Bitwarden and LastPass, from a default of 600,000 to 2. Repeated hashing of master passwords makes them significantly harder to crack in the event of a server breach that allows theft of the hash. For all three password managers, the server sends the specified iteration count to the client, with no mechanism to ensure it meets the default number. The result is that the adversary receives a 300,000-fold decrease in the time and resources required to crack the hash and obtain the user\u2019s master password.<\/p>\n\n\n\n

Attacking malleability<\/h2>\n\n\n\n

Three of the attacks\u2014one against Bitwarden and two against LastPass\u2014target what the researchers call \u201citem-level encryption\u201d or \u201cvault malleability.\u201d Instead of encrypting a vault in a single, monolithic blob, password managers often encrypt individual items, and sometimes individual fields within an item. These items and fields are all encrypted with the same key. The attacks exploit this design to steal passwords from select vault items.<\/p>\n\n\n\n

An adversary mounts an attack by replacing the ciphertext in the URL field, which stores the link where a login occurs, with the ciphertext for the password. To enhance usability, password managers provide an icon that helps visually recognize the site. To do this, the client decrypts the URL field and sends it to the server. The server then fetches the corresponding icon. Because there\u2019s no mechanism to prevent the swapping of item fields, the client decrypts the password instead of the URL and sends it to the server.<\/p>\n\n\n\n

\u201cThat wouldn\u2019t happen if you had different keys for different fields or if you encrypted the entire collection in one pass,\u201d Kenny Paterson, one of the paper co-authors, said. \u201cA crypto audit should spot it, but only if you\u2019re thinking about malicious servers. The server is deviating from expected behavior.<\/p>\n\n\n\n

The following table summarizes the causes and consequences of the 25 attacks they devised:<\/p>\n\n\n\n

<\/a><\/p>\n\n\n\n

\"\"\/<\/a>
Credit: Scarlata et al.<\/figcaption><\/figure>\n\n\n\n

A psychological blind spot<\/h2>\n\n\n\n

The researchers acknowledge that the full compromise of a password manager server is a high bar. But they defend the threat model.<\/p>\n\n\n\n

\u201cAttacks on the provider server infrastructure can be prevented by carefully designed operational security measures, but it is well within the bounds of reason to assume that these services are targeted by sophisticated nation-state-level adversaries, for example via software supply-chain attacks or spearphishing,\u201d they wrote. \u201cMoreover, some of the service providers have a history of being breached\u2014for example, LassPass suffered breaches in 2015 and 2022, and another serious security incident in 2021.<\/p>\n\n\n\n

They went on to write: \u201cWhile none of the breaches we are aware of involved reprogramming the server to make it undertake malicious actions, this goes just one step beyond attacks on password manager service providers that have been documented. Active attacks more broadly have been documented in the wild.\u201d<\/p>\n\n\n\n

Part of the challenge of designing password managers or any end-to-end encryption service is the tendency for a false sense of security of the client.<\/p>\n\n\n\n

\u201cIt\u2019s a psychological problem when you\u2019re writing both client and server software,\u201d Paterson explained. \u201cYou should write the client super defensively, but if you\u2019re also writing the server, well of course your server isn\u2019t going to send malformed packets or bad info. Why would you do that?\u201d<\/p>\n\n\n\n

Marketing gimmickry or not, \u201czero-knowledge\u201d is here to stay<\/h2>\n\n\n\n

In many of the cases, engineers have already fixed the weaknesses described after receiving private reports from the researchers. Engineers are still patching other vulnerabilities. In statements, Bitwarden, Lastpass, and Dashlane representatives noted the high bar of the threat model, despite statements on their websites that assure customers their wares will withstand it. Along with 1Password representatives, they also noted that their products regularly receive stringent security audits and undergo red-team exercises.<\/p>\n\n\n\n

A Bitwarden representative wrote:<\/p>\n\n\n\n

\n

Bitwarden continually evaluates and improves its software through internal review, third-party assessments, and external research. The ETH Zurich paper analyzes a threat model in which the server itself behaves maliciously and intentionally attempts to manipulate key material and configuration values. That model assumes full server compromise and adversarial behavior beyond standard operating assumptions for cloud services.<\/p>\n<\/blockquote>\n\n\n\n

LastPass said, \u201cWe take a multi\u2011layered, ongoing approach to security assurance that combines independent oversight, continuous monitoring, and collaboration with the research community. Our cloud security testing is inclusive of the scenarios referenced in the malicious-server threat model outlined in the research.\u201d<\/p>\n\n\n\n

Specific measures include:<\/p>\n\n\n\n