PASSWORD managers are widely promoted as a safe way to store credentials, but research published for Malwarebytes on 23 February 2026 shows that zero‑knowledge cloud password managers may be more vulnerable than their marketing suggests. The researchers tested vendors including LastPass, Bitwarden and Dashlane and devised several attack scenarios that could allow the recovery of passwords, though they stress this is not an immediate panic situation.
The core issue is that many password managers are cloud‑based, expanding the attack surface and allowing a compromised server to interact with device or user access under certain design weaknesses. Specific weaknesses include group sharing of recovery keys and policy blobs, the risk of auto or manual recovery being silently changed on a compromised server, and weaker encryption if an attacker can reduce PBKDF2 iteration counts on a compromised server.
To stay safer, the piece recommends enabling multi‑factor authentication for important accounts, noting cloud password managers remain safer than password reuse but their “zero‑knowledge” claims do not hold up against sophisticated attacks.