A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are vulnerable to password recovery attacks under certain conditions, with the attacks totalled at 25. According to ETH Zurich and Università della Svizzera italiana, the researchers counted 12 distinct attacks against Bitwarden, seven against LastPass, and six against Dashlane, spanning from integrity violations to full vault compromise for organisations.
The study notes that 1Password is also vulnerable to both item-level vault encryption and sharing attacks, though the vendor says these issues reflect known architectural limitations. Collectively, these password managers serve over 60 million users and nearly 125,000 businesses, underscoring the potential impact across a wide user base.
The researchers warned that the attacks exploit design anti-patterns and cryptographic misconceptions, and they emphasised ongoing mitigations by the vendors, including strengthening integrity guarantees and hardening admin password reset and sharing workflows.