Password manager vulnerabilities just got real. New research out of Zurich found fundamental design flaws in LastPass, Bitwarden & Dashlane — not bad code, but broken architecture.
Researchers analyzed three of the most popular password managers on the planet and came back with something nobody really wanted to hear: the problems aren't in the code. They're in the core design. The zero-knowledge encryption model that's supposed to protect your vault has an inherent trust problem — and the researchers were able to exploit it.
Here's the short version: when you need to recover your vault, you have to trust a server you can't see. Researchers showed they could impersonate that server, intercept your recovery key, and access your vault without you. That's not a bug. That's a feature — one that has no clean fix.
There's a second problem too. The field-level encryption inside these vaults isn't consistently verified. Prasanna walks through how researchers were able to move cipher text between fields — like swapping your username/password into a URL field — and potentially expose part of your credentials. Again, not a coding error. A structural gap.
Now before you panic and delete your password manager — don't. I'm still a fan. These are edge-case attacks that require specific conditions to pull off. And the three vendors in the study said they're working on fixes. But you should absolutely reach out to your password manager and ask what they're doing about it.
The bigger takeaway here is that password managers are a stop gap — a really good stop gap, but a stop gap. Passkeys are the real answer. They're device-bound, phishing-resistant, and don't have the same vault recovery trust problem. I'm still in the early adoption phase myself — QuickBooks made me use MFA after setting up a passkey, which kind of defeats the whole point — but the direction is right. Start implementing passkeys on the accounts that matter most: banking, Amazon, bookkeeping, anything where a breach would genuinely hurt.
Oh, and if you're still using the browser's built-in password manager and thinking that counts — Google and Apple's built-ins represent 55% of the market. That's depressing. Use a real password manager. It's still better than sticky notes on your monitor. Yes, I saw that in real life. No, I'm not kidding.
🔔 Subscribe for weekly backup, recovery, and cybersecurity content.
📖 Check out my book: Learning Ransomware Response and Recovery — available now on the O'Reilly Learning Platform.
🔗 Audio episode: https://www.backupwrapup.com/password-manager-vulnerabilities-lastpass-bitwarden-dashlane
Chapters:
00:00 - Intro & Welcome
01:24 - Password Managers: Good, Better, Best
03:00 - The LastPass Breach Revisited
06:31 - The Zurich Research Paper
08:12 - How Zero-Knowledge Encryption Works
18:00 - The Core Design Flaw: Vault Recovery & Trust
25:31 - Field-Level Encryption Vulnerabilities
28:22 - How Many People Actually Use Password Managers?
31:13 - What You Should Do Right Now
34:35 - Passkeys: Better But Not Quite There Yet
38:50 - MFA, Authy, and the Catch-22
41:39 - Wrap-Up
