Researchers Warn: “Zero-Knowledge” Password Managers May Not Be as Secure as Claimed

CyberDefender 7 mins0

Cloud-based password managers have become fundamental tools in modern digital life, helping users store and retrieve hundreds of login credentials with a single master password. Many of today’s most widely adopted services tout “zero-knowledge encryption”—the idea that even the provider cannot see or access user vault contents. However, recent research from the Applied Cryptography Group at ETH Zurich has shown that these marketing promises may not hold up under rigorous scrutiny.

What Was Studied

The research team led by Prof. Kenneth Paterson and collaborators (Matilda Backendal, Matteo Scarlata, and Giovanni Torrisi) conducted a comprehensive security analysis focusing on cloud-based password managers, including:

  • Bitwarden
  • LastPass
  • Dashlane

Together, these services manage credentials for roughly 60 million individuals and thousands of businesses worldwide.

Rather than testing typical client-side attacks, the researchers adopted a malicious server threat model. In this scenario, the server storing users’ encrypted vaults is assumed to be fully compromised and can behave arbitrarily when interacting with the client—an approach that simulates a worst-case server breach.

Zero-Knowledge Encryption: Assumptions vs Reality

Zero-knowledge encryption (ZKE) is often marketed as a guarantee that only the end user—with their master password—can decrypt stored credentials. Even the service provider, under this model, should have no ability to read or modify the encrypted contents.

However, the ETH Zurich research demonstrates that zero-knowledge principles alone are insufficient if the underlying protocol design and implementation contain weaknesses. Specifically:

  • Compromised servers can manipulate authentication parameters such as key derivation functions or encryption settings.
  • Vault integrity checks can be bypassed due to lack of authenticated encryption or unverified metadata.
  • Support for legacy cryptographic schemes or backward compatibility can open paths for downgrade attacks.

These weaknesses mean that, under certain conditions, an attacker controlling the server infrastructure can not only read stored passwords but also modify them without detection.

Demonstrated Attack Vectors

The study documented multiple classes of attack, including:

  • Key Escrow Exploits: Mechanisms intended for account recovery can be abused to leak decryption keys.
  • Item-Level Encryption Flaws: Separately encrypted vault items may allow targeted recovery of specific credentials.
  • Credential Sharing Weaknesses: Features enabling account sharing introduce additional trust boundaries that can be abused.
  • Backward Compatibility Risks: Legacy code paths and older cryptographic standards remain active in some clients, increasing the attack surface.

Across these categories, the researchers found:

  • 12 successful attack scenarios against Bitwarden
  • 7 against LastPass
  • 6 against Dashlane

In many of these, the simulated malicious server could derive or alter user passwords merely through routine user actions such as logging in or syncing vaults.

Architectural Causes and Contributing Factors

Three core themes emerged from the analysis:

  1. Trust in Server Behavior: Zero-knowledge encryption assumes benign server behavior. But once a server is compromised, interactions between client and server can be manipulated to subvert cryptographic guarantees.
  2. Complex Code Increases Risk: Features that improve usability—like account recovery and password sharing—also broaden the potential attack surface. Complex legacy code, especially cryptographic compatibility layers, can introduce subtle security flaws.
  3. Outdated Cryptographic Practices: Some services continue to support older cryptographic algorithms and trust models that have known limitations, weakening overall security.

Implications for Users and Developers

The ETH Zurich team was careful to emphasize that these attack scenarios require a fully compromised server environment—something that is not the same as a typical remote attack or phishing attempt. Nonetheless:

  • Users should not assume a password manager is infallible simply because it advertises zero-knowledge guarantees.
  • Organizations deploying password managers must assess not only encryption strength, but also protocol design integrity, the potential for malicious server behavior, and the trade-offs introduced by added features.

For developers and service providers, the research suggests:

  • Transitioning away from legacy cryptographic schemes and adopting modern authenticated encryption standards.
  • Enabling new secure defaults for encryption protocols and key management.
  • Providing transparent audit reports and independent security evaluations.

Conclusion

The ETH Zurich findings serve as an important reminder: strong cryptography does not automatically equate to secure real-world systems. Architectural assumptions, protocol design, and implementation details all play vital roles in preserving security guarantees. Users and organizations relying on cloud-based password managers should remain informed about the limits of their chosen tools and push for transparency and robust design in security-critical software.

CyberDefender