Researchers from the Applied Cryptography Group at ETH Zurich analysed three popular cloud-based password managers—Bitwarden, LastPass, and Dashlane. The team, composed of Matilda Backendal, Matteo Scarlata, Kenneth Paterson and Giovanni Torrisi, tested what happens if a server is compromised and acts maliciously. They set up servers that behaved like hacked servers and assumed a malicious-server threat model. The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane; the attacks ranged from targeting individual user vaults to fully compromising all vaults in an organisation. In many cases the attackers could access users' passwords and sometimes change them. All attacks used simple user actions such as logging in, opening the vault, viewing passwords or synchronising data.
The team said they were surprised by the severity of the vulnerabilities. Scarlata pointed to unusual code architecture and said efforts to add user-friendly features, like password recovery and sharing, made the code more complex and increased the attack surface. The researchers also noted that many providers still rely on cryptographic technologies from the 1990s. Paterson warned that password managers are likely targets for experienced hackers and that similar attacks have occurred in the past. Most providers were cooperative after disclosure, but not all acted quickly, and developers worry that some updates could cause customers to lose access to their data.
The researchers followed common responsible-disclosure practice and contacted the providers before publishing, giving the companies 90 days to fix the issues. Their recommendations include:
- Update systems for new customers and offer existing customers a choice to migrate.
- Be transparent about security and development plans.
- Prefer managers that undergo external audits and enable end-to-end encryption by default.
Paterson said, "We want our work to help bring about change in this industry." Source: ETH Zurich.
Difficult words
- compromise — to take control of a computer or servercompromised
- maliciously — in a harmful or intentionally bad way
- vault — a secure digital storage place for passwordsvaults
- vulnerability — a weakness that attackers can exploitvulnerabilities
- attack surface — all parts that an attacker could target
- synchronise — updating data to match across devicessynchronising
- migrate — move accounts or data to a new system
- audit — an independent review of security and codeaudits
- end-to-end encryption — data protection where only users can read content
Tip: hover, focus or tap highlighted words in the article to see quick definitions while you read or listen.
Discussion questions
- What risks do users face if a cloud password manager's server is compromised? Give examples from the article.
- How should password manager providers balance adding user-friendly features with maintaining strong security?
- Would you prefer a password manager that enables end-to-end encryption by default? Why or why not?
Related articles
Instagram bot campaigns target activists and media in Western Balkans
In November 2025 coordinated bot operations hit activist and media Instagram accounts in the Western Balkans. Reports on November 16 and 23, 2025 describe fake followers, mass reports, bot comments and mass liking that reduced visibility.
Why Rechargeable Batteries Lose Performance
Researchers found that repeated charging and discharging makes batteries expand and contract, causing tiny shape changes and stress. This “chemomechanical degradation” and spreading strain reduce performance and shorten battery life, and imaging revealed how it happens.
New device measures blood viscosity in real time
Researchers at the University of Missouri created a non-invasive device that monitors blood viscosity and density in real time using ultrasound and software. It can read blood without drawing samples and may help in diseases like sickle cell.