Zero Knowledge (About) Encryption: Security Analysis of Password Managers
A recent security analysis examined the Zero Knowledge Encryption claims of three popular cloud-based password managers: Bitwarden, LastPass, and Dashlane. The study revealed multiple vulnerabilities, including integrity violations and potential password recovery, highlighting the risks posed by malicious servers. The findings have been disclosed to the vendors, and remediation efforts are currently underway.
- ▪The analysis identified 12 attacks against Bitwarden, 7 against LastPass, and 6 against Dashlane.
- ▪These attacks ranged from integrity violations to complete compromises of user vaults.
- ▪The majority of the vulnerabilities allowed for the recovery of passwords.
Opening excerpt (first ~120 words) tap to expand
Paper 2026/058 Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers Matteo Scarlata, ETH Zurich Giovanni Torrisi, Universita della Svizzera Italiana Matilda Backendal, Universita della Svizzera Italiana Kenneth G. Paterson, ETH Zurich Abstract Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those vaults. The security claims made by vendors imply that this should hold even if the server is fully malicious.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at IACR Cryptology ePrint Archive.
Discussion
0 commentsMore from IACR Cryptology ePrint Archive
