Critical Vulnerabilities in Major Password Managers Allow Attackers to View and Change Passwords
Critical Vulnerabilities in Major Password Managers Allow Attackers to View and Change Passwords
Researchers from ETH Zurich and Università della Svizzera italiana have discovered 27 serious security vulnerabilities across four of the world’s most popular cloud-based password managers—Bitwarden, LastPass, Dashlane, and 1Password—that could allow attackers to view, modify, and delete stored passwords without detection. The findings, published in a peer-reviewed paper on February 16, 2026, directly contradict these services’ claims of offering “zero-knowledge encryption,” a security model that supposedly prevents even the service providers from accessing user vault contents.
The Attack: How Hackers Exploit Password Manager Flaws
The research team identified 27 distinct attack scenarios that exploit fundamental cryptographic design flaws in these password managers. Rather than requiring sophisticated hacking techniques, many of these attacks leverage simple interactions that users perform routinely—logging in, opening vaults, viewing passwords, or synchronizing data. As researchers noted, attackers need only “small programs capable of impersonating the server” to execute these attacks.
The vulnerabilities fall into four primary categories:
- Key Escrow Attacks: Exploit account recovery features to achieve full vault compromise through unauthenticated key escrow mechanisms (4 successful attacks: 3 against Bitwarden, 1 against LastPass)
- Vault Encryption Flaws: Enable integrity violations, metadata leakage, field swapping, and key derivation function downgrades through item-level encryption weaknesses (11 successful attacks across all four services)
- Sharing Feature Exploits: Compromise organization and shared vaults via unauthenticated public keys (5 successful attacks)
- Backwards Compatibility Downgrades: Force systems to revert to insecure legacy encryption, enabling confidentiality loss and brute-force attacks (7 successful attacks, primarily against Dashlane and Bitwarden)
The core technical issues include unauthenticated public keys, lack of ciphertext integrity, insufficient key separation, and missing cryptographic binding between data and metadata. One particularly severe attack demonstrates how an attacker can intercept a user’s request to join an organization, replace the server’s response with a tampered policy and forged public key, trick the client into encrypting the user’s master key under the attacker’s key, and then decrypt it to gain full access to all stored passwords and sensitive data.
The impact scales exponentially: if an attacker compromises a single user in an organization, they gain access to the organization’s private key, which may be shared among multiple team members, potentially leading to mass compromise across the entire organization.
The Impact: Who Is Affected
The vulnerability affects an enormous user base. Collectively, these four password managers serve over 60 million individual users and nearly 125,000 businesses. The attacks range from targeted integrity violations affecting specific user vaults to complete compromise of all vaults within an organization.
The research team presented:
- 12 distinct attack scenarios against Bitwarden
- 7 attack scenarios against LastPass
- 6 attack scenarios against Dashlane
- 2 attack scenarios against 1Password
In most cases, attackers could not only access passwords but also modify or delete entries undetected. The severity is heightened by the fact that password managers are prime targets for experienced hackers due to the large volume of sensitive data they contain—and such attacks have already occurred in the past.
Mitigation: How to Stay Safe
The researchers disclosed their findings to Bitwarden, LastPass, and Dashlane through a coordinated 90-day disclosure process, providing detailed vulnerability descriptions and offering support through video conferences and patch reviews. All three vendors have confirmed that remediation is underway.
1Password, which was also notified of two attack scenarios, did not request an embargo period but stated the company regards the vulnerabilities as “arising from already known architectural limitations.”
The research team proposed specialized password manager clients designed solely for implementing a forced migration to new, secure vault formats. This approach would prevent users from losing access to their data while preserving security across the entire user base. However, vendors have shown reluctance to implement changes that could disrupt functionality or risk irretrievable loss of vault access.
Until patches are deployed, users should:
- Monitor official security advisories from their password manager provider
- Ensure their password manager software is updated to the latest version once patches are released
- Consider the security posture of their chosen provider when evaluating alternatives
- Maintain awareness that even “zero-knowledge” systems may have architectural limitations
Conclusion
This research fundamentally challenges the security claims made by major password managers and exposes the gap between marketing promises and cryptographic reality. The discovery of 27 attack vectors across four leading services demonstrates that “zero-knowledge encryption” claims require rigorous technical scrutiny. While vendors have begun remediation efforts, the incident underscores the critical importance of independent security research and the need for password manager providers to prioritize cryptographic integrity over backwards compatibility and feature complexity. Users should remain vigilant and await official security patches from their providers.