Tech

Recent Password Manager Security Audit: Here’s Why You Should (Still) Trust Bitwarden, LastPass, and Dashlane

Feb 25th 2026

AI-generated, human-reviewed. 

Most people rely on password managers to keep their digital lives safe, but are these tools really secure? A major new audit by ETH Zurich researchers uncovered surprising vulnerabilities—but there's good news for users of Bitwarden, LastPass, and Dashlane.

According to Steve Gibson on this episode of Security Now, the ETH Zurich team conducted a deep, hands-on analysis of three of the world's leading cloud-based password managers. While their research revealed several potential attack scenarios, all major issues have now been addressed. The bottom line: users of these managers can remain confident, but understanding how and why these vulnerabilities emerged is crucial for informed digital hygiene.

ETH Zurich Password Manager Audit: What Did Researchers Look For?

The ETH Zurich research focused on what happens if a password manager’s cloud infrastructure is ever compromised by attackers—a realistic but advanced threat scenario. The researchers selected Bitwarden*, LastPass, and Dashlane because their client-side code, at least in part, was open for scrutiny—a prerequisite for meaningful, independent audits.

The team explored whether providers' promises of "zero-knowledge" encryption hold up: that is, even if the server is fully compromised, user vaults remain protected. This approach moves beyond just bugs on your device; it’s about whether providers keep your secrets safe if their own systems get breached.

Practical Features vs. Perfect Security: Why Vulnerabilities Happen

On Security Now, Steve Gibson detailed that many vulnerabilities arose from balancing uncompromising security principles (like "Trust No One" encryption) with demands for user-friendly features. For example, users want:

  • Account recovery (in case you forget your master password)
  • Sharing passwords among family or team members
  • Cross-device access with backward compatibility

Each of these adds complexity. According to the show, it's nearly impossible to offer both ironclad, no-compromise cryptography and broad usability without creating new risks. As features accumulate, so do unexpected interactions, making airtight security far more elusive.

What Did the Audit Find? Summary of Key Issues

The ETH Zurich team performed real-world attacks and found multiple security concerns, such as:

  • Key escrow weaknesses that could, if exploited through a fully compromised server, allow password recovery mechanisms to be abused.
  • Integrity issues where vaults could potentially be manipulated without detection.
  • Problems with sharing features that could (in complex, not-everyday scenarios) allow attackers to compromise shared passwords.
  • Backwards compatibility flaws that lingered as managers evolved to support older data formats.
  • Incomplete implementation of cryptographic best practices like lack of message authentication in some older vault formats (notably for LastPass).

Significantly, most issues could only be leveraged if the attacker controlled the password manager’s server—a high bar, but not theoretical (e.g., LastPass has experienced breaches in the past). After the audit, all three vendors moved quickly to address or mitigate the identified vulnerabilities.

Why Openness Matters

The show emphasized the importance of open-source or reviewable client code. Because researchers could inspect the managers deeply and audit the encryption workflow, issues were discovered and fixed. This transparency is a critical advantage and was a practical reason why ETH Zurich could select these solutions for their work.

What You Need to Know: Action Steps for Password Manager Users

  • Don’t panic: All critical issues found by ETH Zurich have already been addressed.
  • Open-source matters: Password managers that welcome external review are likely to be more secure in the long run.
  • Server attacks are rare—and no tool is perfect: Zero-knowledge designs are very strong but not completely invulnerable, especially as features grow.
  • Account recovery increases risk—even as it helps usability: Always use strong master passwords, 2FA, and where possible, backup recovery options securely.
  • Browser-based password managers are gaining ground: For some users, built-in managers in browsers like Chrome and Safari may suffice, but these don't provide as much flexibility or storage as Bitwarden or Dashlane.
  • Stay updated: The password managers addressed quickly—so make sure you’re running the latest version of your manager software.
  • Passkeys are the future: Where possible, start using passkeys (passwordless logins), which were mentioned as a secure alternative when available.

The Bottom Line

On this week’s Security Now, Steve Gibson explained that the ETH Zurich audit revealed how the push for convenience can sometimes weaken even the most secure password tools. However, the transparent response by Bitwarden, LastPass, and Dashlane means users of these managers are now safer than before. The best advice: stick with solutions that welcome outside inspection, keep your tools up to date, and always practice good digital security basics.

Want more tech security insights like this? Subscribe to Security Now: https://twit.tv/shows/security-now/episodes/1066

 

*Bitwarden is a sponsor of the TWiT network.

All Tech posts