Recent research has unveiled significant security vulnerabilities in popular cloud-based password managers such as Bitwarden, Dashlane, and LastPass. The study, conducted by experts from ETH Zurich and Università della Svizzera italiana, highlights potential password recovery attacks that could compromise user data under certain conditions.
Understanding Zero-Knowledge Encryption
The study focuses on analyzing the zero-knowledge encryption (ZKE) protocols employed by these password managers. ZKE allows a user to prove knowledge of a secret without revealing the secret itself, differentiating it from end-to-end encryption, which secures data during transmission. Password managers use ZKE to protect user data, ensuring that only the key holder can access the information.
Identified Vulnerabilities and Impact
The researchers identified 12 attacks on Bitwarden, seven on LastPass, and six on Dashlane. These attacks exploit vulnerabilities ranging from integrity violations to complete vault compromises. Despite the efforts of vendors to secure their systems, the research uncovered cryptographic design flaws and misconceptions leading to these vulnerabilities.
Four main categories of attacks were highlighted: exploiting key escrow mechanisms, item-level encryption flaws, sharing feature vulnerabilities, and backward compatibility issues. These vulnerabilities could potentially affect over 60 million users and nearly 125,000 businesses relying on these password management services.
Responses and Mitigation Efforts
1Password, another major player, acknowledged some vulnerabilities related to item-level encryption and sharing features but stated these were expected due to known architectural limitations. The company is focused on strengthening its security architecture and has implemented measures like Secure Remote Password (SRP) authentication to enhance protection.
Meanwhile, Bitwarden, Dashlane, and LastPass are taking active steps to address the identified risks. LastPass is working to improve its admin password reset and sharing workflows, while Dashlane has patched an issue to prevent encryption model downgrades. Bitwarden is addressing the majority of issues, with some accepted as necessary design choices for product functionality.
Overall, these findings underscore the need for continuous improvement in security protocols among password managers to safeguard user data effectively.
