Researchers find vulnerabilities in major password managers
Security researchers from ETH Zurich and the Università della Svizzera italiana (USI) say popular password managers—including Bitwarden, LastPass, and Dashlane—may not be as secure as many users assume. In controlled tests, the team claims they were able to view and even modify stored passwords by exploiting weaknesses in how these services handle encrypted vault data.
How the attacks worked
Most password managers store encrypted vaults in the cloud so users can sync passwords across devices. Even if servers are breached, encryption is supposed to prevent anyone from reading the stored data.
The researchers simulated a compromised server by setting up their own infrastructure that impersonated a password manager backend. From there, they triggered routine actions—like logging in, opening the vault, or syncing data. According to the report, this allowed them in many cases to access or manipulate vault contents.
They say they demonstrated:
-
12 attack scenarios against Bitwarden
-
7 against LastPass
-
6 against Dashlane
Some scenarios allegedly allowed tampering with specific user vaults, while others theoretically enabled broader access within organizations.
Why vulnerabilities exist
The researchers attribute the issues largely to complex codebases and legacy design choices. Features like account recovery, password sharing, and cross-device syncing can introduce extra attack surfaces if not carefully designed.
They also claim some providers still rely on older cryptographic approaches for compatibility reasons. Updating encryption systems can be risky for companies managing millions of vaults—any mistake could lock users out of their own passwords—so providers may hesitate to make major changes.
Before publishing, the researchers disclosed their findings privately to the affected companies. All reportedly responded, though fixes and mitigation timelines varied.
Is there immediate danger?
The researchers emphasize that there’s no evidence of active exploitation or compromised password manager servers at this time. In normal operation—when you’re connecting to legitimate servers—your vault remains encrypted and inaccessible to attackers.
However, password managers are high-value targets, and the findings highlight the importance of continued audits and updates.
What users should do
If you rely on a password manager, experts generally recommend:
-
Keep using one: A reputable password manager is still far safer than reusing passwords or storing them in plain text.
-
Enable end-to-end encryption and strong master passwords.
-
Turn on multi-factor authentication (MFA) for your account.
-
Update apps regularly so you receive security patches.
-
Choose providers that are transparent about vulnerabilities and undergo independent security audits.
In short, the research underscores that password managers—like any complex security tool—aren’t perfect. But when configured properly, they remain one of the safest ways to manage credentials across the web.