Researchers from the Applied Cryptography Group at ETH Zurich analysed three popular cloud-based password managers—Bitwarden, LastPass, and Dashlane. The team, composed of Matilda Backendal, Matteo Scarlata, Kenneth Paterson and Giovanni Torrisi, tested what happens if a server is compromised and acts maliciously. They set up servers that behaved like hacked servers and assumed a malicious-server threat model. The researchers demonstrated 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane; the attacks ranged from targeting individual user vaults to fully compromising all vaults in an organisation. In many cases the attackers could access users' passwords and sometimes change them. All attacks used simple user actions such as logging in, opening the vault, viewing passwords or synchronising data.
The team said they were surprised by the severity of the vulnerabilities. Scarlata pointed to unusual code architecture and said efforts to add user-friendly features, like password recovery and sharing, made the code more complex and increased the attack surface. The researchers also noted that many providers still rely on cryptographic technologies from the 1990s. Paterson warned that password managers are likely targets for experienced hackers and that similar attacks have occurred in the past. Most providers were cooperative after disclosure, but not all acted quickly, and developers worry that some updates could cause customers to lose access to their data.
The researchers followed common responsible-disclosure practice and contacted the providers before publishing, giving the companies 90 days to fix the issues. Their recommendations include:
- Update systems for new customers and offer existing customers a choice to migrate.
- Be transparent about security and development plans.
- Prefer managers that undergo external audits and enable end-to-end encryption by default.
Paterson said, "We want our work to help bring about change in this industry." Source: ETH Zurich.
Difficult words
- compromise — to take control of a computer or servercompromised
- maliciously — in a harmful or intentionally bad way
- vault — a secure digital storage place for passwordsvaults
- vulnerability — a weakness that attackers can exploitvulnerabilities
- attack surface — all parts that an attacker could target
- synchronise — updating data to match across devicessynchronising
- migrate — move accounts or data to a new system
- audit — an independent review of security and codeaudits
- end-to-end encryption — data protection where only users can read content
Tip: hover, focus or tap highlighted words in the article to see quick definitions while you read or listen.
Discussion questions
- What risks do users face if a cloud password manager's server is compromised? Give examples from the article.
- How should password manager providers balance adding user-friendly features with maintaining strong security?
- Would you prefer a password manager that enables end-to-end encryption by default? Why or why not?
Related articles
Smart textiles could monitor and protect health
Researchers reviewed studies on MXenes, microscopic metal-based materials that can give fabrics new functions. MXene-based smart textiles can measure vitals, show antimicrobial behaviour and harvest solar energy, but they face limits like oxidation and sustainability.
Africa uses AI to strengthen health systems and self-reliance
At the CPHIA conference in Durban, Africa CDC said AI and digital tools can help protect 1.4 billion people, improve surveillance and support primary health care. Data governance, infrastructure and domestic financing are key concerns.
