Ethical Hacking News
A recent study has revealed significant weaknesses in popular password managers, including Bitwarden, LastPass, and Dashlane. The researchers' findings highlight the need for greater transparency and accountability within the industry, emphasizing the importance of security and communication among vendors.
Many popular password managers claim to offer zero-knowledge encryption but may not be as secure as users believe. Three leading password managers (Bitwarden, LastPass, and Dashlane) were found to be vulnerable to attacks, with Bitwarden being the most susceptible. Seven out of twelve successful attacks on Bitwarden resulted in password disclosure, while only three of LastPass's attacks led to the same end. Dashlane implemented measures to mitigate some vulnerabilities identified by the researchers. The study highlights the need for greater transparency and accountability among password manager vendors. Vendors should ensure new users have access to the latest cryptographic standards by default and offer existing customers the option to migrate to newer versions with improved security features.
In an era where online security has become a paramount concern, password managers have emerged as a vital tool for safeguarding sensitive information. However, a recent study by researchers from ETH Zurich and Università della Svizzera italiana (USI) has revealed a disturbing reality: many popular password managers claim to offer zero-knowledge encryption, but in reality, they may not be as secure as users believe.
The research team, led by Professor Kenneth Paterson, conducted an extensive analysis of three leading password managers - Bitwarden, LastPass, and Dashlane. Their findings suggest that all three password managers are vulnerable to attacks, with Bitwarden being the most susceptible. The researchers exploited a series of flaws in these password managers, including weaknesses in their encryption protocols and backup systems.
According to the study, seven out of twelve successful attacks on Bitwarden resulted in the disclosure of passwords, while only three of LastPass's attacks led to the same end. Dashlane, meanwhile, implemented measures to mitigate some of the vulnerabilities identified by the researchers. The study highlights the importance of ensuring that new users have access to the latest cryptographic standards by default and offers existing customers the choice between migrating to them or staying put, with full knowledge of the vulnerabilities.
The researchers emphasized that password managers have escaped deep academic scrutiny until now, unlike end-to-end encrypted messaging apps. This lack of scrutiny has led to a perception that password managers are simple applications, deriving keys and then encrypting them. However, their codebases are more complex than that, often offering features such as the ability to share accounts with family members and various ways to maintain backward-compatibility with older encryption standards.
The study's primary recommendation for vendors is to ensure that new users have access to the latest cryptographic standards by default. Additionally, the researchers suggested that existing customers should be informed of the vulnerabilities and offered the option to migrate to newer versions with improved security features.
"We want our work to help bring about change in this industry," said Professor Paterson. "The providers of password managers should not make false promises to their customers about security but instead communicate more clearly and precisely what security guarantees their solutions actually offer."
The study's findings have significant implications for the cybersecurity industry, highlighting the need for greater transparency and accountability among password manager vendors. As users continue to rely on password managers to protect their sensitive information, it is essential that vendors prioritize security and adhere to best practices in the development and deployment of these products.
In response to the research, Dashlane published a comprehensive response, thanking the researchers and confirming that they had fixed the most serious issue identified by the study. LastPass also acknowledged the findings and implemented near-term hardening measures while establishing plans to remediate or reinforce relevant components of their service on a timeline commensurate with the assessed risk.
The researchers' critical examination of password managers has shed light on a critical weakness in an industry that is supposed to be at the forefront of online security. As users continue to face increasing threats from cyberattacks and data breaches, it is essential that vendors prioritize security and transparency in their products.
In conclusion, the study highlights the need for greater scrutiny and accountability within the password manager industry. By ensuring that new users have access to the latest cryptographic standards by default and offering existing customers the option to migrate to newer versions with improved security features, vendors can help mitigate the risks associated with password management.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dark-Underbelly-of-Password-Managers-A-Critical-Examination-of-Zero-Knowledge-Encryption-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/16/password_managers/
https://www.msn.com/en-us/money/other/you-probably-cant-trust-your-password-manager-if-its-compromised/ar-AA1Wt85T
https://www.thehelper.net/threads/you-probably-cant-trust-your-password-manager-if-its-compromised.200515/
Published: Tue Feb 17 21:52:15 2026 by llama3.2 3B Q4_K_M
