{"id":43845,"date":"2026-02-23T05:10:08","date_gmt":"2026-02-22T21:10:08","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/23\/researchers-demonstrate-27-attacks-against-major-password-managers\/"},"modified":"2026-02-23T05:10:08","modified_gmt":"2026-02-22T21:10:08","slug":"researchers-demonstrate-27-attacks-against-major-password-managers","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/23\/researchers-demonstrate-27-attacks-against-major-password-managers\/","title":{"rendered":"Researchers Demonstrate 27 Attacks Against Major Password Managers"},"content":{"rendered":"\n

We often treat cloud-based password managers<\/a> as digital safes that only we can open. These services rely on Zero-Knowledge Encryption, a marketing promise that the company storing your data cannot actually see what is inside. However, new research suggests that this safety net is not as secure as many of us assume.<\/p>\n

A group of researchers from ETH Zurich and the Universit\u00e0 della Svizzera italiana, led by Professor Kenneth Paterson, recently released a paper that should make every security-conscious person concerned. The team executed 27 successful attacks against industry leaders Bitwarden<\/a>, LastPass<\/a>, and Dashlane<\/a> (12 against Bitwarden, 7 against LastPass, and 6 against Dashlane), proving that if a server is compromised by a sophisticated actor, your vault can be unlocked with surprising ease.<\/p>\n

How the Vaults Were Broken<\/strong><\/h3>\n

The findings dismantle the main promise of Zero-Knowledge<\/a>. Using a Malicious Server Model, researchers showed that a hacked server could trick the app into betraying the user. These apps often fail to verify if data from the central server has been tampered with, a flaw known as a lack of ciphertext integrity and cryptographic binding, where the metadata<\/a> (like the URL) isn’t properly locked to the sensitive data (the password).<\/p>\n

In a field swap attack against Bitwarden and LastPass, researchers showed that because logins are saved in separate pieces (username, password, and URL), a hacker on the server can swap them. By moving your encrypted password into the URL spot, the app may accidentally send your decrypted password to an attacker\u2019s server while simply trying to load a website icon.<\/p>\n

Other attacks targeted features like account recovery and sharing. In a Malicious Auto-Enrolment attack, a compromised server can force a user to join a fake organisation. Because the app does not authenticate public keys, it might “blindly trust” the server and encrypt the user\u2019s master key using the attacker\u2019s key. This hands over a “recovery ciphertext” that the hacker can easily unlock.<\/p>\n

Furthermore, researchers exploited a Legacy Hazard, where apps keep 15-year-old security methods active for backward compatibility, allowing attackers to force a KDF downgrade to guess data byte-by-byte.<\/p>\n

\n
\"Researchers<\/a>
Attacks are divided into four categories based on the password manager feature exploited. Each reference indicates the affected product: BW for Bitwarden, LP for LastPass, DL for Dashlane. For each attack, we state the root cause, high level impact, \u2020 denotes recovery of encrypted passwords, and required client interaction: synchronisation, periodic or user triggered, login, vault opening, organisation join, vault sharing, or clicking a misleading dialog.<\/figcaption><\/figure>\n<\/p><\/div>\n

Which Apps are Safest and What to Do<\/strong><\/h3>\n

While Bitwarden, LastPass, and Dashlane showed various weaknesses, 1Password emerged as the most secure. Researchers found that 1Password\u2019s Secret Key, a random code that stays only on your devices, makes most of these server-side attacks mathematically impossible. Even if a hacker takes over the company\u2019s servers, they lack the second half of the key needed to decrypt the data. This highlights that true digital safety requires a small extra step from the user rather than total reliance on a company’s marketing.<\/p>\n

Following the study\u2019s 90-day disclosure period, vendors have begun patching these holes. Dashlane and Bitwarden have already released fixes to harden their systems and remove legacy cryptography. Users should update their apps immediately. <\/p>\n