Researchers from the Applied Cryptography Group at ETH Zurich analysed three popular cloud-based password managers—Bitwarden, LastPass, and Dashlane. The team, composed of Matilda Backendal, Matteo Scarlata, Kenneth Paterson and Giovanni Torrisi, tested what happens if a server is compromised and acts maliciously. They set up servers that behaved like hacked servers and assumed a malicious-server threat model. The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane; the attacks ranged from targeting individual user vaults to fully compromising all vaults in an organisation. In many cases the attackers could access users' passwords and sometimes change them. All attacks used simple user actions such as logging in, opening the vault, viewing passwords or synchronising data.
The team said they were surprised by the severity of the vulnerabilities. Scarlata pointed to unusual code architecture and said efforts to add user-friendly features, like password recovery and sharing, made the code more complex and increased the attack surface. The researchers also noted that many providers still rely on cryptographic technologies from the 1990s. Paterson warned that password managers are likely targets for experienced hackers and that similar attacks have occurred in the past. Most providers were cooperative after disclosure, but not all acted quickly, and developers worry that some updates could cause customers to lose access to their data.
The researchers followed common responsible-disclosure practice and contacted the providers before publishing, giving the companies 90 days to fix the issues. Their recommendations include:
- Update systems for new customers and offer existing customers a choice to migrate.
- Be transparent about security and development plans.
- Prefer managers that undergo external audits and enable end-to-end encryption by default.
Paterson said, "We want our work to help bring about change in this industry." Source: ETH Zurich.
Difficult words
- compromise — to take control of a computer or servercompromised
- maliciously — in a harmful or intentionally bad way
- vault — a secure digital storage place for passwordsvaults
- vulnerability — a weakness that attackers can exploitvulnerabilities
- attack surface — all parts that an attacker could target
- synchronise — updating data to match across devicessynchronising
- migrate — move accounts or data to a new system
- audit — an independent review of security and codeaudits
- end-to-end encryption — data protection where only users can read content
Tip: hover, focus or tap highlighted words in the article to see quick definitions while you read or listen.
Discussion questions
- What risks do users face if a cloud password manager's server is compromised? Give examples from the article.
- How should password manager providers balance adding user-friendly features with maintaining strong security?
- Would you prefer a password manager that enables end-to-end encryption by default? Why or why not?
Related articles
New cocoa fermenting box boosts farmers' incomes
In Kasawo, a locally made single cocoa fermenting box improves bean fermentation and helps farmers sell directly to exporters. Researchers report faster, better fermentation, higher prices and plans to scale up production across cocoa districts.
Brain predictions use phrases, not just next words
New research shows the human brain anticipates upcoming language by grouping words into grammatical phrases rather than predicting only the next single word. Scientists used brain recordings, behavioral tests and LLM measures across languages.
OpenSpeaks Archives helps document Van Gujjari
OpenSpeaks Archives, launched in 2024, helps Wikimedians cite Indigenous oral knowledge and now hosts nearly 20 languages from India, Nepal and Sri Lanka. An interview with Taukeer Alam explains why audio and video matter and led to a 2024 project.
