Password manager vulnerabilities aren’t something most people lose sleep over. You set up your password manager, you trust the zero-knowledge encryption pitch, and you move on. I get it. That’s kind of the whole point. But a new research paper out of Zurich just made it a lot harder to sleep quite so soundly — and I think you need to know about it.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/password-manager-vulnerabilities-lastpass-bitwarden-dashlane.
Let me be clear upfront: I’m still a fan of password managers. I have roughly 500 passwords in mine, and the thought of losing access to all of them is the stuff of nightmares. But being a fan doesn’t mean ignoring real problems — and the password manager vulnerabilities uncovered in this research are real.
What the Zurich Research Actually Found
Researchers took a hard look at three of the most widely used password managers: LastPass, Bitwarden, and Dashlane. Together, those three products serve about 60 million users — roughly 23% of the password manager market. Do the math and you’re looking at a quarter of a billion people using password managers total. Which also means the vast majority of people on earth aren’t using one at all, but that’s a different problem.
What the researchers found wasn’t sloppy code or a missed security patch. It was something more uncomfortable: fundamental architectural flaws in the way these tools are built. Specifically, two categories of password manager vulnerabilities stood out.
The first is the vault recovery trust problem. The zero-knowledge encryption model — where the vendor never sees your unencrypted passwords — is genuinely good design. Your master password decrypts your vault locally. The server never touches the unencrypted data. But here’s the catch: you need a way to recover your vault if you lose access to all your devices. And that recovery process requires you to trust a server you can’t see or verify. Researchers showed they could impersonate that server during recovery, intercept your recovery key, and access your vault. That’s not a bug someone can patch with a software update. It’s a design trade-off with no clean answer.
The second category involves field-level encryption inside the vault itself. Unlike a file that gets encrypted as a single unit, password manager vaults encrypt individual entries and fields — sometimes in different ways, sometimes with metadata that isn’t encrypted at all. Think of it like row-level encryption in a database. Researchers found there’s no strong integrity check to verify the vault hasn’t been tampered with. In one example, they moved cipher text from username/password fields into a URL field, which could potentially expose part of your credentials depending on the password manager. That’s a fixable problem — it just requires the vendors to add vault integrity verification — but it shouldn’t have been missing in the first place.
Password Manager Vulnerabilities Don’t Mean You Should Quit Using Them
Here’s where I want to be direct with you. These are edge-case attacks. They require specific conditions — most notably, the ability to impersonate the vendor’s server during a vault recovery event. That’s not trivial. The researchers also did the right thing and contacted the vendors before publishing, and all three said they’re working on addressing the issues.
So no, don’t delete your password manager. It’s still better than the alternative. I was at a business recently where the passwords were on sticky notes on the monitor — facing the door, by the way. That hurt my soul. A password manager with these vulnerabilities is still orders of magnitude better than that.
The real takeaway is that password managers are a stop gap. A really good stop gap, but not the final answer.
The Real Answer Is Passkeys — When the World Catches Up
FIDO-compliant passkeys are the right direction. They’re device-bound, phishing-resistant, and don’t have the same vault recovery trust problem because there’s no centralized vault to impersonate. The architecture is fundamentally more secure.
The problem is we’re still in the early adoption phase. I’ve been trying to move to passkeys where I can, and I keep running into implementation headaches. QuickBooks asked me to set up a passkey and then still asked for MFA after I used it. That’s not a passkey win — that’s just extra steps. Different apps implement it differently, different devices behave differently, and if I’m confused, regular users don’t stand a chance.
But that doesn’t mean you should wait. Start with your most vulnerable accounts: banking, Amazon, bookkeeping software, anything where a breach would genuinely cause damage. The password manager vulnerabilities exposed in this research are yet another reason to accelerate your passkey adoption where you can.
And if you’re using Google or Apple’s built-in password manager and thinking you’re covered — I’d push back on that. Those built-ins account for 55% of the password manager market according to one survey, and they’re better than nothing, but not by a lot. If you’re serious about security, a dedicated password manager is still the better choice — just go ask your vendor what they’re doing about the Zurich research.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
