A new study reveals that password managers' claims of 'zero knowledge' encryption aren't always accurate, particularly when account recovery features are enabled. Researchers from ETH Zurich and USI Lugano found vulnerabilities in Bitwarden, Dashlane, and LastPass that could allow server administrators or attackers to access user vaults.

These findings challenge the bold assurances made by major password managers, which collectively serve about 60 million users. Bitwarden claims 'not even the team at Bitwarden can read your data,' while Dashlane states that 'malicious actors can't steal the information, even if Dashlane's servers are compromised.' LastPass similarly promises that 'no one can access the data stored in your LastPass vault, except you.'

The researchers identified multiple attack vectors, including weaknesses in key escrow mechanisms used for account recovery and support for legacy versions. Some attacks allowed reading but not modifying shared vault items, while others could potentially expose entire vaults. The team noted that these vulnerabilities were 'not deep in a technical sense' but had gone undetected despite over a decade of academic research and multiple product audits. They also suggested that other password managers, including 1Password, likely face similar issues when certain features are enabled.