New research challenges the long-standing “zero-knowledge” promises of major password managers, showing that a compromised server or misconfigured account-recovery settings can expose vault data. The study, which analyzed Bitwarden, Dashlane, and LastPass, suggests that even widely used encryption schemes may fall short when attackers gain control of the hosting infrastructure.
Researchers reverse-engineered the three products and found attack paths tied to account recovery and vault-sharing features. In scenarios where accounts are recoverable or vaults are organized into groups, certain protections may be bypassed, potentially allowing vault data to leak despite encryption at rest.
One class of attacks targets how new members join a vault. An attacker who controls the server could substitute their own public keys during enrollment, enabling decryption of sensitive data. Other assaults degrade encryption by downgrading to older, simpler modes or by exploiting the client–server interaction during recovery and key rotation.
Ars Technica notes that the researchers concluded “zero-knowledge” is not an absolute guarantee in practical terms, and vendors responded by stressing the importance of threat modeling, audits, and continuous improvements to recovery workflows and key management.
Experts say the findings urge password-manager developers to harden recovery and group-key flows and to communicate clearly what “zero-knowledge” means in real-world deployments. While the technology remains robust in many settings, the paper highlights that end-to-end encryption cannot assume a perfectly trusted server and that administrator access can introduce real risk.
