ZURICH – For years, the pitch from the password manager industry has been simple: even if someone breaks into our servers, your passwords are safe. The data is encrypted on your device. We can’t read it. Nobody can. It’s what they call “zero-knowledge encryption,” and it has been the central promise of a business model that now serves hundreds of millions of people worldwide.
In February, four researchers at Switzerland’s ETH Zurich and the Università della Svizzera italiana sat down and tested that promise. They found it didn’t hold.
The team – Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth Paterson – built servers that behaved like compromised versions of the backends used by Bitwarden, LastPass, and Dashlane. Then they ran attacks. Twenty-seven of them. Twelve against Bitwarden alone, seven against LastPass, six against Dashlane. In most cases, they got the passwords. In some cases, they changed them. Bitwarden, LastPass, and Dashlane – the three services that together hold roughly 23 percent of the global market and serve around 60 million users – have all acknowledged the findings and are working on fixes. None claims its servers were actually breached.
“We were surprised by the severity of the security vulnerabilities,” Paterson, a professor of computer science at ETH Zurich, said after the paper’s publication. “Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before.”
That disclosure, published February 16 in a peer-reviewed paper set to be presented at the USENIX Security Symposium in Baltimore this August, landed at a peculiar moment in the history of digital authentication. The industry is mid-pivot. Apple, Google, and Microsoft have all made passkeys – a cryptographic standard built on the FIDO2 protocol that replaces passwords with device-bound credentials verified by biometrics or a PIN – the centerpiece of their long-term security strategy. Tech’s largest companies say the password era is ending. The ETH Zurich paper arrived as a reminder of how much it still costs to live in the one that hasn’t ended yet.
Passkeys work differently from passwords in ways that matter. When a user creates a passkey for a website, the system generates two cryptographic keys – a public one stored on the site’s server and a private one locked inside the user’s device, protected by Face ID, fingerprint, or a PIN. When the user logs in, the device signs a challenge issued by the server, proving it holds the private key without ever transmitting it. There is no password to intercept, no credential to phish, no master vault to crack. The private key does not leave the device.
The architecture is compelling. But the transition is not yet clean.
For years, the biggest practical complaint about passkeys was lock-in. A passkey created inside Apple’s iCloud Keychain could not be exported to Android, or to a third-party manager like Bitwarden or 1Password. Switching ecosystems meant deleting and recreating every passkey from scratch – a friction cost that effectively trapped users in whatever hardware they started on. That changed in September 2025, when Apple shipped iOS 26 with support for the FIDO Alliance’s Credential Exchange Protocol, a specification developed with contributions from Apple, Google, Microsoft, Bitwarden, Dashlane, and 1Password. The protocol enables direct, app-to-app transfer of passkeys and passwords, end-to-end encrypted, authenticated with Face ID or Touch ID. Bitwarden was among the first third-party managers to implement it. The long-standing objection – that switching costs were too high – largely dissolved.
As Eastern Herald reported, Google separately moved to address Android’s passkey portability gap with its own import and export tools, extending the same interoperability principle across the Android ecosystem. The two moves, taken together, effectively ended the era in which a user’s passkeys were permanently bonded to a single platform.
Still, passkeys are only as useful as the websites that accept them. The FIDO Alliance estimated that 20 percent of the world’s 100 most-visited websites now support passkeys – a figure that seemed impressive until someone pointed out it meant 80 percent did not. Hundreds of services that people log into every day – legacy banking platforms, government portals, niche subscription services – still require a password. Which means that the password manager, vulnerabilities and all, is not going away any time soon. It is being repurposed.
The best-positioned password managers understand this and have spent the past two years retooling as passkey vaults. 1Password, Bitwarden, Dashlane, and NordPass all support passkey creation and storage inside their vaults, allowing users to keep passwords for legacy services and passkeys for modern ones in the same application. 1Password’s architecture emerged from the ETH Zurich study in a notably stronger position than its competitors: the researchers found only two attack scenarios against the service, and credited its “secret key” design – a high-entropy cryptographic key required alongside the master password – as the reason brute-force attacks were “out of reach.” Jacob DePriest, 1Password’s chief information security officer, told Infosecurity Magazine that the company regarded the identified vulnerabilities as arising from architectural limitations it had already publicly documented.
The ETH Zurich paper’s core finding is more specific than its headlines suggested. The attacks did not exploit a flaw anyone could exploit remotely, the way a phishing link or a software vulnerability might. Every scenario assumed a malicious server – meaning an attacker had already compromised the password manager’s backend infrastructure. “We have no reason to believe” the password manager vendors are currently compromised, the researchers noted. “That said, password managers are high-value targets, and breaches do happen.”
They have. LastPass suffered a significant breach in 2022 in which encrypted customer vaults were stolen. The attackers later used those vaults – which in theory should have been undecipherable without each user’s master password – to target high-value accounts. Researchers tracking the fallout estimated cryptocurrency losses tied to the breach at $438 million, a figure that Wired reported in detail. The incident did not require the ETH Zurich attack scenarios. It required patience, computing power, and stolen encrypted data. The new paper demonstrated that, under certain server-compromise conditions, getting the data might not even require patience.
Paterson’s recommendation for users is practical rather than alarming: choose a password manager that undergoes external audits, is transparent about security limitations, and has end-to-end encryption enabled by default rather than offered as an option. The researchers advised Bitwarden, LastPass, and Dashlane users to check the remediation status of the specific vulnerabilities identified. Dashlane confirmed it had deployed a fix for the most severe issue – the one that could lead to direct password disclosure – before the paper’s publication. Bitwarden said remediation was underway. LastPass said it had implemented “multiple near-term hardening measures.”
The researchers also flagged something the industry rarely discusses openly: most of the complexity in password manager code exists because vendors are terrified of breaking backward compatibility. Cryptographic standards from the 1990s remain embedded in codebases because updating them risks locking existing users out of their own vaults. “Many providers therefore stick to cryptographic technologies from the 90s, even though these have long been obsolete,” Scarlata said. It is an awkward admission for an industry whose entire value proposition rests on being more secure than the alternative.
The ETH Zurich team proposed a path forward that most vendors have not yet taken: onboard new customers to modern cryptographic standards immediately, while giving existing users a documented choice to migrate or stay put with full awareness of the risks they carry. That recommendation is technically straightforward. Commercially, it requires telling customers that the system they have trusted for years was not as secure as advertised – a conversation no company’s marketing department is eager to have.
The practical question, for the person with 150 passwords stored in a cloud vault, is what to do now. The researchers were not advising people to abandon password managers entirely. They were advising people to use password managers that are honest about what they protect against. The transition to passkeys, wherever sites support them, remains the longer-term security upgrade. The FBI’s warnings about evolving phishing tools targeting Microsoft accounts underscore why credential security – whether through stronger password manager architecture or phishing-resistant passkeys – is not an abstract concern.
What the ETH Zurich paper actually showed was not that password managers have failed. It showed that the industry’s marketing had outrun its engineering. The promises made to users – of perfect encryption, of zero knowledge, of vaults that would remain sealed even in the event of a server breach – were not backed by the cryptographic rigor required to keep them. The research was the gap between the sales pitch and the source code, expressed as 27 working exploits.
The USENIX Security presentation in August will put those findings in front of the security community in full. Whether the industry treats it as a mandate to rebuild its cryptographic foundations – or as a PR problem to manage – is the question the researchers said they could not answer. The vendors’ responses so far suggest the answer may differ by company.
