• ETH Zurich researchers tested zero‑knowledge password managers against fully malicious servers. • Bitwarden, Dashlane, LastPass, and 1Password were evaluated. • Attacks targeted account recovery, SSO, backward compatibility, and sharing features. • Researchers achieved full vault compromise on Bitwarden and LastPass. • Dashlane suffered shared vault compromise, exposing multiple users’ credentials. • Attackers could view and modify passwords, eroding security guarantees.
Article Summaries:
- A team of security researchers from ETH Zurich in Switzerland has analyzed popular password managers and identified ways in which threat actors could compromise users’ vaults and access sensitive data. However, the researchers did not test the password managers against external or client-side attacks. Instead they targeted zero-knowledge encryption, a security model where the service provider is unable to access the user’s encrypted data and the data should be protected even if the provider’s servers are compromised. As such, the ETH Zurich researchers conducted an analysis of popular cloud-ba
Sources: