Bottom line up front: Researchers at ETH Zurich published a peer-reviewed paper documenting 27 distinct attacks against Bitwarden (12), LastPass (7), and Dashlane (6). Most attacks need a compromised provider server. Bitwarden and LastPass had full-vault compromise paths demonstrated. 1Password showed 2 vulnerabilities but not full-vault compromise under the same model.
At a glance
Total attack scenarios demonstrated
Against Bitwarden alone
Users affected across tested products
Confirmed exploits in the wild
What Actually Happened
The paper, Zero Knowledge (About) Encryption, from ETH Zurich's Applied Cryptography Group evaluates whether "zero-knowledge" claims hold under a compromised-server threat model.
Researchers simulated compromised provider infrastructure and observed normal workflows like login, sync, sharing, and recovery. In several scenarios, malicious server responses enabled password recovery or vault tampering.
The 4 Attack Categories
1. Key Escrow Account Recovery Attacks
Account recovery flows in Bitwarden and LastPass exposed key validation weaknesses. A malicious server could substitute attacker keys during recovery.
2. Flawed Item-Level Encryption
Some item metadata/integrity protections were weak, enabling field-swapping, downgrade behavior, and metadata leakage.
3. Sharing Feature Vulnerabilities
If recipient public keys are not strongly authenticated client-side, a malicious server can redirect shares to attacker-controlled keys.
4. Backwards Compatibility Downgrade Attacks
Legacy crypto compatibility support enabled forced downgrades in some paths, lowering brute-force cost against weak master passwords.
Breakdown by Password Manager
Bitwarden: 12 Attacks
Full-vault compromise was demonstrated in specific server-compromise scenarios. Vendor acknowledged most findings and has patched or is patching several issues.
LastPass: 7 Attacks
Multiple scenarios led to disclosure under the compromised-server model, with hardening/migration actions announced.
Dashlane: 6 Attacks
Mostly compatibility/downgrade-related findings. The most severe path was patched ahead of publication.
1Password: 2 Attacks, No Full Vault Compromise Demonstrated
Two findings were reported, but researchers did not reach full-vault compromise under the same model.
Why 1Password Held Up Better
1Password's two-secret model requires both master password and device-held Secret Key for key derivation. Server compromise alone is insufficient to derive vault keys without the second secret.
What's Patched, What Isn't
| Vendor | Attacks Found | Patched | Status |
|---|---|---|---|
| Bitwarden | 12 | 7 patched, 3 accepted design decisions | Partially mitigated |
| LastPass | 7 | Hardening deployed, migration in progress | In progress |
| Dashlane | 6 | Primary downgrade issue patched | Mostly patched |
| 1Password | 2 | No severe new compromise path disclosed | Architecture mitigates worst cases |
What You Should Do Right Now
If you use Bitwarden: Keep auto-updates enabled. Review org-admin privileges and sharing scope.
If you use LastPass: Consider migrating based on your risk profile and compliance requirements.
If you use Dashlane: Confirm client versions include post-disclosure compatibility fixes.
If you use 1Password: Keep clients updated and continue normal use.
For everyone: Use a long, unique master password and avoid reused credentials.
Generate a strong master password →
Try NordPass Free for 30 Days
NordPass uses XChaCha20 and zero-knowledge architecture and was not part of this specific ETH Zurich test set.
Try NordPass Free for 30 DaysAffiliate link. SPG earns a commission at no extra cost to you. Disclosure policy.
Bottom Line
The ETH Zurich paper is a major contribution to password-manager security analysis. It does not mean you should abandon password managers; it means you should choose one deliberately, keep it updated, and use a high-entropy master credential.
In practical risk terms, weak/reused passwords are still a much more common failure mode than these server-compromise scenarios.