Central Intelligence
Central IntelligenceSIGNAL FROM NOISE
Last Update: 04/05/2026 at 2:50 PM EST

Researchers Expose Password Manager Vault Flaws

Coverage from Help Net Security, TechSpot, and others

Articles

5

Latest Article

02/25

Active Days

10

Executive Summary

ETH Zurich researchers found server-side flaws in major password managers that can let attackers read or alter encrypted vaults

  • Researchers tested Bitwarden, LastPass, Dashlane and 1Password under a malicious-server threat model
  • They found server-side attacks can recover passwords, alter ciphertext and compromise vault integrity
  • The attacks often need only routine actions such as login, vault access or sync
  • Design gaps included weak key separation, item-level encryption issues and backward compatibility
  • Legacy cryptography and complex recovery or sharing features expanded the attack surface
  • Vendors were notified in advance and have begun patching some issues
  • Researchers urged audits, stronger authentication and migration to safer vault formats

Quick Facts

  • What: Demonstrated server-side attacks on cloud password managers
  • Where: Bitwarden, LastPass, Dashlane and 1Password vault systems
  • Why: To show compromised servers can still expose encrypted passwords
  • Who: ETH Zurich and Universita della Svizzera italiana researchers
  • When: In 2026 after months of vendor notice

Coverage Timeline: 10 Days

1Feb 16 '262Feb 171Feb 231Feb 25 '26

Featured Article

Help Net Security / Zeljka Zorz 02-17-2026
Design Weaknesses In Major Password Managers Enable Vault Attacks, Researchers Say
Researchers at ETH Zurich and Universita della Svizzera italiana in 2026 demonstrated server-side tampering can compromise cloud password-manager vaults for Bitwarden, LastPass, Dashlane, and 1Password.

Additional Articles

⭐⭐⭐⭐⭐⭐⭐⭐

TechSpot 02-17-2026
New Study Finds Security Gaps in Bitwarden, LastPass, and Dashlane
ETH Zurich researchers evaluated Bitwarden, LastPass, and Dashlane this year, revealing encryption weaknesses that could expose user credentials in cloud deployments.

⭐⭐⭐⭐⭐

TechXplore / Samuel Schlaefli 02-16-2026
Why 'Zero-Knowledge Encryption' May Not Stop Password Theft If Servers Are Hacked
Researchers at ETH Zurich and Universita della Svizzera italiana in 2026 demonstrated server-side attacks that can compromise Bitwarden, LastPass and Dashlane vaults during normal user actions.

⭐⭐⭐

Electronic Frontier Foundation / Jacob Hoffman-Andrews 02-25-2026
How To Pick Your Password Manager
Users on the internet use password managers to generate unique passwords and autofill across sites, reducing data breach and phishing risks across platforms.

⭐️⭐️

Schneier on Security / Bruce Schneier 02-23-2026
On the Security of Password Managers
Researchers and users evaluate password managers and encryption practices in the 2020s across cloud and local environments to prevent backdoors.