Key Findings

• Researchers executed 27 successful attacks against industry-leading password managers Bitwarden, LastPass, and Dashlane

• Attacks show how compromised servers and design flaws can expose encrypted vault data

• 1Password emerged as the most secure option due to its use of a Secret Key

Background

We often treat cloud-based password managers as digital safes that only we can open. These services rely on Zero-Knowledge Encryption, a marketing promise that the company storing your data cannot actually see what is inside. However, new research suggests that this safety net is not as secure as many of us assume.

Attack Breakdown

• Attacks are divided into four categories based on the password manager feature exploited

• Includes attacks like field swap, malicious auto-enrollment, and legacy cryptography downgrades

• Each attack reference indicates the affected product: BW for Bitwarden, LP for LastPass, DL for Dashlane

• Root causes include lack of ciphertext integrity, cryptographic binding issues, and failure to authenticate public keys

Safest Option and Recommendations

• 1Password emerged as the most secure due to its use of a Secret Key, which makes server-side attacks mathematically impossible

• Users should enable a Secret Key or use a hardware security key to add an extra layer of protection

• Vendors have begun patching vulnerabilities, so users should update their apps immediately

• Researchers conclude that vendors need to "ensure solid foundations and novel definitions to capture security in this setting"

Sources

• https://hackread.com/researchers-demonstrate-password-managers-attacks/

• https://news.backbox.org/2026/02/22/researchers-demonstrate-27-attacks-against-major-password-managers/

• https://www.reddit.com/r/InfoSecNews/comments/1rbv4i9/researchers_demonstrate_27_attacks_against_major/

• https://www.news4hackers.com/researchers-expose-27-critical-vulnerabilities-in-top-password-manager-solutions/