A team of security researchers from ETH Zurich analysed popular cloud-based password managers, including Bitwarden, Dashlane, LastPass and 1Password, under the assumption that the servers storing user vaults could be fully malicious. They demonstrated that vault compromises were possible for each tested product, including full vault compromise for Bitwarden and LastPass, and shared vault compromise for Dashlane, with attackers able to view and even modify stored credentials in many cases.
1Password was also shown to permit full compromise of vault confidentiality and integrity, enabling access to passwords and other data and the addition of items to the vault. Vendors have responded by rolling out patches and mitigations, with Dashlane noting that some findings require specific circumstances and a significant window of time, and 1Password emphasising ongoing security enhancements such as Secure Remote Password authentication and new enterprise credentials capabilities.
According to Dashlane, the research highlights a structural dependency on the authenticity of the public key directory in server-mediated end-to-end encrypted systems when items are shared. The study underscores the difficulty of fully mitigating server-side risks even as vendors reiterate commitments to strengthening security architecture. 17 February 2026.