An open-source password manager founded in 2016, counting 10 million users, 50,000 business customers and 11% market share. Bitwarden is the only product we study which allows self-hosting. It uses AES-CBC-HMAC for authenticated encryption of data in the vault. Fields in vault items (username, password, url, ...) are encrypted separately: a malicious server could carry out cut-and-paste attacks and leak metadata. Malicious servers could also exploit the organization and key recovery features to steal vault data. Bitwarden's blogpost.
Overview
Cloud-based password managers help users store and manage their credentials by encrypting them into a vault protected by a single master password. Leading vendors market this as Zero Knowledge Encryption, conveying the idea that the server storing the vault cannot learn anything about its contents – even if the server is compromised.
We put this to the test. Analysing the three leading password managers that make the Zero Knowledge Encryption
claim – Bitwarden, LastPass, and Dashlane, collectively serving over 60 million users and holding approximately 23% market share – plus an additional analysis of 1Password, we find 27 distinct attacks that a malicious server can mount against their users. The attacks range in severity from integrity violations to the complete compromise of all vaults in an organisation. The majority of the attacks allow the recovery of passwords.
The Password Managers
We analyse four prominent cloud-based password managers, each of which claims to implement Zero Knowledge Encryption.
Founded in 2008, LastPass has 33 million users, 100,000 business customers, and 10% market share, making it one of the most widely used password managers. It encrypts vault items using AES-CBC with no integrity protection. It also suffers from cut-and-paste attacks and metadata leakage, since each field in an item is encrypted separately. We could not find an exploitable padding oracle, but the key recovery feature would allow a malicious server to trivially recover an entire vault. LastPass' blogpost.
Dashlane, founded in 2012, counts 19 million users and 24,000 business customers. Its vault is structured as a transactional database, with content encrypted using keys derived from the master password. By default, it uses AES-256 in CBC mode with HMAC. Legacy support for CBC mode without HMAC allowed us to develop an entire attack chain based on a padding oracle: a malicious server could compromise vaults through a long-running, targeted attack. Dashlane's blogpost.
Founded in 2006, 1Password was one of the earliest cloud-based password managers. It counts 180,000 business customers and millions of personal users today. Its two-secret approach (master password + a 128-bit secret key) makes brute-force password-guessing attacks infeasible. Vaults are encrypted using AES-GCM, with RSA-OAEP for key wrapping. We found that the lack of ciphertext authentication in RSA-OAEP would allow a malicious server to swap users' vaults with server-controlled ones, something especially dangerous for new users with empty vaults. 1Password's blogpost.
Zero-Knowledge... What?
If you are a cryptographer, you might know that Zero-Knowledge Proofs are a thing. But ZK Encryption? If you have never heard of that, you're not alone! As we will see, what most password managers really mean is that they offer End-to-End Encryption. Or at least they try!
Threat Model
We analyse these password managers under a malicious server threat model, in which the server can arbitrarily deviate from expected behaviour. This model is justified by three arguments: the vendors' own security claims imply protection in this setting; the high sensitivity of vault data makes these servers attractive targets (as evidenced by a history of breaches); and in closely related areas such as E2E-encrypted cloud storage and messaging, security against a malicious server is already the norm.
The vendors' own claims set user expectations of security even against a compromised server:
“Zero knowledge encryption: Bitwarden team members cannot see your passwords. Your data remains end-to-end encrypted with your individual email and master password. [...] Since it's fully encrypted before it ever leaves your device, only you have access to your data. Not even the team at Bitwarden can read your data (even if we wanted to).”
“With a zero-knowledge approach, you can rest easy knowing that no one else but you, not even your password manager vendor, has the keys to the kingdom. [...] Zero-knowledge means that no one has access to your master password for LastPass or the data stored in your LastPass vault, except you (not even LastPass).”
“Dashlane Password Manager is designed using zero-knowledge architecture, with the data encrypted locally on the user's device. [...] Since Dashlane doesn't have access to the user's vault and doesn't store the user's Master Password, malicious actors can't steal the information, even if Dashlane's servers are compromised.”
“Zero-knowledge encryption is a crucial way that software developers, including 1Password, can keep your information secure. [...] Zero-knowledge encryption means that no one but you – not even the company that’s storing the data – can access and decrypt your data. This protects your information even if the server where it’s held is ever breached.”
Attacks Overview
We present 27 attacks, grouped into four categories based on the password manager feature they exploit. The attacks reveal common design anti-patterns and cryptographic misconceptions, including unauthenticated public keys, lack of ciphertext integrity, insufficient key separation, and missing cryptographic binding between data and metadata.
| Category |   |
  |
  |
  |
|---|---|---|---|---|
| Key Escrow Full vault compromise via unauthenticated key escrow and account recovery features |
3 | 1 | – | – |
| Vault Encryption Integrity violations, metadata leakage, field swapping, and KDF downgrade through flawed item-level encryption |
4 | 5 | 1 | 1 |
| Sharing Organisation and shared vault compromise via unauthenticated public keys |
2 | 1 | 1 | 1 |
| Backwards Compatibility Downgrade to insecure legacy encryption (CBC without integrity), enabling confidentiality loss and brute-force attacks |
3 | – | 4 | – |
| Total | 12 | 7 | 6 | 2 |
Responsible Disclosure
We disclosed our findings to the first three vendors through a coordinated 90-day disclosure process. We provided detailed descriptions of all vulnerabilities and offered support through video conferences, email exchanges, and patch review. Remediation is underway at all three vendors. All vendors were also provided with a preprint of the paper and coordinated on a joint public disclosure date.
We also disclosed our findings on 1Password to the company. Their response was that they regard them as arising from already known architectural limitations. They did not request an embargo period, and agreed to be included in our publication.
Team
- Matteo Scarlata – ETH Zurich (matteo.scarlata@inf.ethz.ch)
- Giovanni Torrisi – Università della Svizzera italiana (USI) (giovanni.torrisi@usi.ch)
- Matilda Backendal – Università della Svizzera italiana (USI) (matilda.backendal@usi.ch)
- Kenneth G. Paterson – ETH Zurich (kenneth.paterson@inf.ethz.ch)
Questions? Drop us an email!