Major Flaws Found in Leading Password Managers

Major Flaws Found in Leading Password Managers—What Users Need to Know

Swiss researchers uncovered critical vulnerabilities in Bitwarden, LastPass, and Dashlane, exposing risks to encrypted vaults. Experts explain the outdated cryptographic methods behind the flaws and offer steps for users to enhance security.

Password managers have long been hailed as the gold standard for digital security, offering a fortress for sensitive credentials. But new research from security experts at ETH Zurich and the Università della Svizzera italiana (USI) reveals that three of the most widely used services—Bitwarden, LastPass, and Dashlane—contain serious vulnerabilities that could allow attackers to access or even alter stored passwords.

The flaws stem from cryptographic methods developed in the 1990s, long before modern encryption standards. Researchers demonstrated how these weaknesses could be exploited through routine user interactions, such as logging in or syncing data across devices. In some cases, they successfully compromised entire vaults, raising concerns about the integrity of encrypted data.

What makes these findings particularly alarming is that the attacks required minimal technical resources. By impersonating compromised servers, researchers executed 12 successful exploits against Bitwarden, seven against LastPass, and six against Dashlane. The vulnerabilities were traced back to complex code architectures designed to enhance user convenience—such as password recovery or shared accounts—rather than security.

The Root of the Problem

The reluctance to update outdated encryption methods appears to be driven by practical concerns. Developers have expressed fears that system updates could lock users out of their accounts, leaving millions of individuals and businesses without access to critical data. As a result, many services continue relying on legacy cryptographic protocols, despite their known risks.

Experts emphasize that while no evidence suggests current attacks are underway, password managers remain high-value targets. The research underscores the need for providers to transition to more secure encryption—particularly for new users—while giving existing customers the option to migrate voluntarily.

What Should Users Do?

For now, users are advised to take proactive steps to mitigate risks

Choose password managers that prioritize transparency, undergo regular external security audits, and enable end-to-end encryption by default.
Monitor for official updates from providers, as patches for these vulnerabilities are expected to roll out in the coming weeks.
Consider diversifying security measures, such as enabling multi-factor authentication where available.

While the immediate threat is not zero-day, the findings serve as a reminder that even trusted tools can harbor hidden weaknesses. Users who rely on these services should stay informed and prepared for potential changes in how their data is protected.

The research team has worked closely with all affected companies, which have responded by prioritizing fixes. However, the pace of updates varies, and users may need to remain vigilant until full remediation is confirmed.