A study coordinated between ETH Zurich and Università della Svizzera italiana (USI) raises important questions about the security of some of the most widely used cloud-based password managers.
The work, which will be presented at USENIX Security 2026, includes among its authors two researchers from USI’s Faculty of Informatics, Prof. Matilda Backendal and PhD candidate Giovanni Torrisi, together with Matteo Scarlata and Prof. Kenneth G. Paterson from ETH Zurich.
Password managers allow users to store all their passwords in an encrypted vault accessible with a single master password. Many providers claim to use so-called "zero-knowledge encryption", assuring users that even the company operating the service cannot read their data.
The researchers analysed three widely used platforms, Bitwarden, LastPass and Dashlane, which together serve more than 60 million users, and also included an analysis of 1Password. By simulating a scenario in which the server is compromised, the team identified 27 possible attacks. In several cases, it would theoretically be possible to access or modify the stored passwords.
The research does not question the strength of cryptography itself, but shows that certain design choices can introduce unexpected vulnerabilities. According to the authors, it is essential to clearly communicate which security guarantees are provided to users and to update systems in line with modern cryptographic standards.
The study’s results have resonated widely across international media, capturing the interest of major tech news outlets (a list of media coverage can be found at this link ).
The aim of the study is to contribute to improving the security of digital services that protect highly sensitive information every day. In this regard, Prof. Matilda Backendal stated: "We are committed to continue working on high-impact research projects such as this one, which help improve the security of millions of people worldwide."
The full paper, Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers , will be presented at USENIX Security 2026 and is already available on the IACR ePrint platform.
