Researchers from the Applied Cryptography Group at ETH Zurich examined three popular cloud-based password managers: Bitwarden, LastPass, and Dashlane. The team included Matilda Backendal, Matteo Scarlata, Kenneth Paterson, and Giovanni Torrisi. Backendal and Torrisi are currently working at the Università della Svizzera italiana in Lugano. Together the three providers serve around 60 million users and have a 23% market share.
The researchers tested how the services behave if a server is compromised and acts maliciously. They set up servers that behaved like hacked servers and assumed a malicious server threat model. The team demonstrated 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane. The attacks ranged from targeting specific user vaults to compromising all vaults in an organization. In many cases attackers could access users' passwords and sometimes change them. All the attacks used simple user interactions such as logging in, opening the vault, viewing passwords, or synchronising data.
The researchers followed responsible disclosure and gave the companies 90 days to fix the vulnerabilities. Paterson and others said they were surprised by the severity of the problems. The team recommended updating systems for new customers, offering existing customers a migration choice, and being transparent about security. Users should prefer managers that undergo external audits and have end-to-end encryption enabled by default.
Difficult words
- examine — look at something carefully to find problemsexamined
- compromise — cause a system to be unsafe or brokencompromised
- maliciously — in a way that intends to harm others
- threat model — a plan describing what could attack a system
- attack — actions that try to break or harm systemsattacks
- vault — secure storage for users' passwords or datavaults
- vulnerability — a weakness that allows an attack or errorvulnerabilities
- end-to-end encryption — data protection where only users can read information
Tip: hover, focus or tap highlighted words in the article to see quick definitions while you read or listen.
Discussion questions
- Would you use a cloud-based password manager after reading this? Why or why not?
- What would make you trust a password manager company more? Give one or two reasons.
- How important is it for you that a service has end-to-end encryption and external audits? Explain briefly.
Related articles
Instagram bot campaigns target activists and media in Western Balkans
In November 2025 coordinated bot operations hit activist and media Instagram accounts in the Western Balkans. Reports on November 16 and 23, 2025 describe fake followers, mass reports, bot comments and mass liking that reduced visibility.
Why Rechargeable Batteries Lose Performance
Researchers found that repeated charging and discharging makes batteries expand and contract, causing tiny shape changes and stress. This “chemomechanical degradation” and spreading strain reduce performance and shorten battery life, and imaging revealed how it happens.
New device measures blood viscosity in real time
Researchers at the University of Missouri created a non-invasive device that monitors blood viscosity and density in real time using ultrasound and software. It can read blood without drawing samples and may help in diseases like sickle cell.