Over the past 15 years, password managers have grown from a distinct segment security tool utilized by the technology savvy into an indispensable security tool for the masses, with an estimated 94 million US adults—or roughly 36 percent of them—having adopted them. They store not only passwords for pension, financial, and email accounts, but in addition cryptocurrency credentials, payment card numbers, and other sensitive data.
All eight of the highest password managers have adopted the term “zero knowledge” to explain the complex encryption system they use to guard the information vaults that users store on their servers. The definitions vary barely from vendor to vendor, but they often boil right down to one daring assurance: that there is no such thing as a way for malicious insiders or hackers who manage to compromise the cloud infrastructure to steal vaults or data stored in them. These guarantees make sense, given previous breaches of LastPass and the reasonable expectation that state-level hackers have each the motive and capability to acquire password vaults belonging to high-value targets.
A daring assurance debunked
Typical of those claims are those made by Bitwarden, Dashlane, and LastPass, which together are utilized by roughly 60 million people. Bitwarden, for instance, says that “not even the team at Bitwarden can read your data (even when we desired to).” Dashlane, meanwhile, says that and not using a user’s master password, “malicious actors can’t steal the data, even when Dashlane’s servers are compromised.” LastPass says that nobody can access the “data stored in your LastPass vault, except you (not even LastPass).”
Latest research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that somebody with control over the server—either administrative or the results of a compromise—can, in truth, steal data and, in some cases, entire vaults. The researchers also devised other attacks that may weaken the encryption to the purpose that ciphertext might be converted to plaintext.