Password managers, while convenient, may not be as secure as users believe. Despite promises of 'zero-knowledge encryption' from service providers, a study conducted by researchers at ETH Zurich revealed significant security vulnerabilities. The study focused on three popular password managers: Bitwarden, LastPass, and Dashlane, which collectively serve around 60 million users. The researchers identified 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane, demonstrating their ability to access and even modify passwords. These attacks exploited simple interactions users perform with the password managers, such as logging in, opening vaults, and synchronizing data. The complexity of the code, aimed at enhancing user-friendliness, inadvertently expanded the attack surface for hackers. The study highlights the need for password managers to adopt modern cryptographic technologies and for providers to communicate security guarantees more transparently. Users are advised to choose password managers with strong encryption, external audits, and transparency about potential vulnerabilities.
