Popular password managers including Bitwarden, LastPass, and Dashlane may be less secure than many users assume, according to new findings from researchers at ETH Zurich and the Università della Svizzera italiana (USI) in Lugano. The team says it uncovered vulnerabilities that could allow attackers to view—and in some cases modify—stored passwords under specific conditions.
Password managers typically store credentials in encrypted form on cloud servers, allowing users to access them across devices while keeping them protected from unauthorized access. Even if servers are breached, strong encryption is supposed to keep stored passwords safe. However, the researchers claim their tests revealed weaknesses that could compromise that protection if attackers successfully impersonate backend servers.
According to the report, simulated attacks ranged from targeting individual user vaults to compromising entire organizational vaults. By setting up servers that behaved like compromised password manager infrastructure, the researchers triggered routine actions such as logging in, syncing data, and viewing stored credentials. In many test cases, they were able to access or alter stored passwords.
The team identified multiple potential attack paths across all three platforms: 12 for Bitwarden, seven for LastPass, and six for Dashlane. They attribute the vulnerabilities largely to complex code structures designed to support convenience features such as account recovery, password sharing, and cross-device syncing. These features, while useful, can increase the number of possible entry points for attackers.
Researchers also suggested that some password manager providers have been slow to modernize underlying cryptographic systems, partly due to fears that major updates could lock users out of their stored credentials. Some systems may still rely on older encryption approaches that increase risk if not updated.
All affected companies were notified prior to publication and responded positively, though fixes reportedly rolled out at different speeds. The researchers emphasize that there is no evidence of active exploitation or malicious behavior by the providers at this time. Still, password managers remain high-value targets for attackers and require ongoing scrutiny.
Security experts recommend that users choose password managers that undergo external audits, provide transparent disclosure of vulnerabilities, and offer strong end-to-end encryption by default. For now, there is no urgent need to abandon password managers—but staying informed and using reputable services remains essential.
