Password Managers' Promise that They Can't See Your Vaults Isn't Always True
Researchers found dozens of server-side attacks on Bitwarden, LastPass, and Dashlane that expose or alter encrypted user vaults despite claims of zero-knowledge encryption.
7 Articles
7 Articles
Password managers' promise that they can't see your vaults isn't always true
Over the past 15 years, password managers have grown from a niche security tool used by the technology savvy into an indispensable security tool for the masses, with an estimated 94 million US adults—or roughly 36 percent of them—having adopted them. They store not only passwords for pension, financial, and email accounts, but also cryptocurrency credentials, payment card numbers, and other sensitive data. All eight of the top password managers …
The research team was able to demonstrate attacks on the password managers of three popular providers whose services would use around sixty million people worldwide.
Why 'zero-knowledge encryption' may not stop password theft if servers are hacked
People who regularly use online services have between 100 and 200 passwords. Very few can remember every single one. Password managers are therefore extremely helpful, allowing users to access all their passwords with just a single master password.
A new academic study calls into question one of the most repeated promises by the cloud password managers industry: that the “zero-knowledge encryption” makes a server hack useless. Under a “malware server” model, researchers documented dozens of attacks with a direct impact on the confidentiality and integrity of vaults, reopening the debate on which cryptographic guarantees are actually delivered to the user. *** The paper analyzes the concept…
Coverage Details
Bias Distribution
- 67% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium





