Password managers’ promise that they can’t see your vaults isn’t always true
TL;DR
Research reveals that 'zero knowledge' claims by top password managers like Bitwarden, Dashlane, and LastPass can be compromised, especially during account recovery or when sharing vaults, allowing server access to steal data.
Source: ars TECHNICA
All eight of the top password managers have adopted the term “zero knowledge” to describe the complex encryption system they use to protect the data vaults that users store on their servers. The vendors all make a bold assurance: that there is no way for malicious insiders or hackers who manage to compromise the cloud infrastructure to steal vaults or data stored in them. Research from ETH Zurich and USI Lugano shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. Researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways that someone with control over the server—either administrative or the result of a compromise—can, in fact, steal data and, in some cases, entire vaults. Full Story