ETH Zurich Breaks “Zero Knowledge” Encryption in Bitwarden, LastPass, and Dashlane

Researchers found 25 attacks that let compromised servers steal passwords despite vendors’ “zero knowledge” claims. 60 million users affected.

ETH Zurich researchers published a devastating study showing that three major password managers—Bitwarden, LastPass, and Dashlane fail to protect passwords if their servers get compromised, despite marketing “zero knowledge encryption.”

The team found 12 attacks against Bitwarden, 7 against LastPass, and 6 against Dashlane. Most attacks allow full password recovery. Combined, these services have 60 million users and 23% market share.

What “zero knowledge” means (supposedly): Your passwords are encrypted on your device. The server is just dumb storage for encrypted data. Even if hackers pwn the server, they can’t read your passwords.

What researchers found: If attackers control the server, they can:

• Swap encryption keys during account recovery

• Downgrade cryptographic protections to weak legacy modes

• Inject themselves into organization vaults

• Swap password fields around to leak data

• Remove brute-force protection by lowering KDF iterations

• Substitute public keys during sharing

The researchers set up malicious servers that behaved like compromised password manager infrastructure. They tested what happens when servers deviate from expected behavior and found the “zero knowledge” promise collapsed immediately.

Password managers: “We use zero knowledge encryption! Even if we get hacked, your passwords are safe!”

ETH Zurich: sets up fake server, recovers all passwords in 25 different ways

This is like advertising bulletproof glass and having it shatter the first time someone tests it.

---

If you use Bitwarden, LastPass, or Dashlane:

• Check if your vendor patched your specific vulnerabilities (disclosure links below)

• Bitwarden: 7 of 12 attacks fixed, 3 accepted as “design decisions”

• LastPass: LP03 fixed, working on integrity improvements

• Dashlane: Fixed downgrade attacks in v6.2544.1 (November 2025)

• Important: Even if your client updates, server compromise still works

For everyone using password managers:

• Ask your vendor: “What happens if your servers get compromised?”

• 1Password performed better (only 2 attacks, includes secret key alongside password)

• Consider hardware security keys for 2FA (not SMS codes)

• Don’t reuse master passwords across services

Questions to ask your password manager:

1. Do you offer end-to-end encryption?

2. What security exists if servers are compromised?

3. How do you authenticate public keys and ciphertexts?

4. How do you authenticate KDF settings (iteration counts)?

5. Can malicious servers inject items into vaults?

The threat model here is “server gets compromised.” Researchers have no evidence this has happened. But LastPass was breached three times (2015, 2021, 2022), so “compromised servers” isn’t theoretical—it’s historical fact.

---

“Zero knowledge encryption” turned out to be marketing, not cryptography.

The core problem: vendors designed their systems assuming servers would behave honestly. When researchers tested against malicious servers, everything broke.

Key issues across all three vendors:

• No key authentication - servers can swap keys during recovery/sharing

• No ciphertext authentication - servers can modify encrypted data

• No settings authentication - servers can weaken crypto (lower KDF iterations)

• Legacy compatibility - old insecure modes still supported, servers can force downgrade

• Item-level encryption - vault integrity fails when items are encrypted separately

Kenneth Paterson (lead researcher): “We were surprised by the severity of the security vulnerabilities. We had already discovered similar vulnerabilities in other cloud-based services but had assumed a significantly higher standard of security for password managers due to the critical data they store.”

The researchers followed responsible disclosure, 90 days notice, detailed vulnerability reports, patch review support. All vendors are working on fixes.

But here’s the uncomfortable truth: fixing this requires breaking changes. Backwards compatibility is what enables many of these attacks. Vendors are terrified of breaking existing vaults and losing customers.

- Alex

---

P.S. — Full 28-page technical paper: https://eprint.iacr.org/2026/058

Bitwarden statement: “Third-party security assessments like these are critical to continue providing state of the art security.”

LastPass: “Our assessment may not fully align with the severity ratings.” (Classic.)