Over the past 15 years, password managers have evolved from niche tools utilized primarily by tech enthusiasts into essential security instruments for the general public. Approximately 94 million adults in the US, or about 36 percent, now use these tools, which safeguard not only passwords for financial, pension, and email accounts but also cryptocurrency credentials, payment card numbers, and other sensitive information.
All eight leading password managers have adopted the term âzero knowledgeâ to describe their sophisticated encryption systems designed to protect the data vaults stored on their servers. Although definitions differ slightly among vendors, they all promise a robust assurance: that it is impossible for malicious insiders or hackers compromising the cloud infrastructure to access vaults or the data contained within them. Such assurances are paramount, given previous breaches like those experienced by LastPass and the credible risk posed by state-level hackers targeting high-value accounts.
A Bold Assurance Debunked
Notably, companies such as Bitwarden, Dashlane, and LastPass, which collectively serve about 60 million users, make similar claims. For instance, Bitwarden asserts that ânot even the team at Bitwarden can read your data (even if we wanted to).â Dashlane claims that without a userâs master password, âmalicious actors canât steal the information, even if Dashlaneâs servers are compromised.â LastPass states that access to data stored in a userâs vault is exclusive to the user, not even accessible by LastPass itself.
However, new research indicates that these claims may not hold true in all scenarios, particularly when account recovery features are enabled or when password managers are configured to share vaults or organize user groups. Researchers have reverse-engineered or meticulously analyzed Bitwarden, Dashlane, and LastPass, uncovering potential ways for someone controlling the serverâwhether through administrative access or a compromising breachâto extract data and, in some instances, entire vaults. Additionally, researchers developed other methods that can weaken encryption, potentially transforming ciphertext into plaintext.