Over the past 15 years, password managers have gone from a niche security tool used by techies to an indispensable security tool for the masses, with a My dear 94 million American adults (or about 36 percent of them) have adopted them. They store not only pension, financial and email account passwords, but also cryptocurrency credentials, payment card numbers and other sensitive data.
The top eight password managers have adopted the term “zero-knowledge” to describe the complex encryption system they use to protect the data vaults that users store on their servers. Definitions vary slightly from provider to provider, but they generally boil down to a bold guarantee: that there is no way for malicious insiders or hackers who manage to compromise cloud infrastructure to steal vaults or data stored in them. These promises make sense, given previous LastPass breaches and the reasonable expectation that state-level hackers will have both the motive and the ability to obtain password vaults belonging to high-value targets.
A bold guarantee debunked
Some of these claims are typical of Bitwarden, Dashlane and LastPass, which together are used by approximately 60 million people. bitwarden, For examplesays that “not even the Bitwarden team can read your data (even if we wanted to).” Dashlane, meanwhile, says that without a user master password, “malicious actors cannot steal the information, even if Dashlane’s servers are compromised.” last pass says that no one can access the “data stored in your LastPass vault except you (not even LastPass).”
New research shows that these claims are not true in all cases, particularly when account recovery is implemented or password managers are configured to share vaults or organize users into groups. Researchers reverse engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server (either administrative or as a result of a compromise) can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point that ciphertext can be converted to plaintext.
