Over the past 15 years, password managers have evolved from niche security tools used by tech experts to indispensable tools for the masses. It is estimated that in the United States, about 94 million adults, or 36% of the population, have adopted them. These tools not only store passwords for retirement, financial, and email accounts but also cryptocurrency credentials, payment card numbers, and other sensitive data. All eight major password managers have adopted the term "zero knowledge" to describe the complex encryption system they use to protect the data vaults that users store on their servers. Definitions vary slightly from vendor to vendor, but they generally boil down to a bold assurance that there is no way for malicious insiders or hackers who manage to compromise the cloud infrastructure to steal the vaults or the data stored within them.
A Bold Promise Debunked
Typical of these claims are those made by Bitwarden, Dashlane, and LastPass, used together by about 60 million people. Bitwarden, for example, states that "not even the Bitwarden team can read your data (even if we wanted to)." Dashlane, meanwhile, states that without a user's master password, "malicious actors cannot steal information, even if Dashlane's servers are compromised." LastPass states that no one can access the "data stored in your LastPass vault, except you (not even LastPass)." New research shows that these claims are not true in all cases, particularly when account recovery is in progress or when password managers are set up to share vaults or organize users into groups. Researchers reverse-engineered or closely analyzed Bitwarden, Dashlane, and LastPass and identified ways in which someone with control of the server, either administratively or following a compromise, can, in fact, steal data and, in some cases, entire vaults. The researchers also devised other attacks that can weaken the encryption to the point where ciphertext can be converted to plaintext.
"The vulnerabilities we describe are numerous but mostly not deep in a technical sense," wrote the researchers from ETH Zurich and USI Lugano. "Yet, apparently, they have not been found before, despite more than a decade of academic research on password managers and the existence of multiple audits of the three products we studied. This motivates further work, both in theory and in practice." The researchers said in interviews that many other password managers they did not analyze as closely likely suffer from the same flaws. The only one they could name was 1Password. Almost all password managers, they added, are vulnerable to attacks only when certain features are enabled.
The most severe attack, targeting Bitwarden and LastPass, allows an insider or attacker to read or write the contents of entire vaults. In some cases, they exploit weaknesses in key escrow mechanisms that allow users to regain access to their accounts when they lose their master password. Others exploit weaknesses in support for legacy versions of the password manager. A vault theft attack against Dashlane allowed reading but not modifying vault items when they were shared with other users.
Specific Attacks and Vulnerabilities
An attack targeting Bitwarden's key escrow is carried out during the enrollment of a new family or organization member. Another attack on Bitwarden occurs when a user rotates vault keys, an option Bitwarden recommends if a user believes their master password has been compromised. A third attack on Bitwarden account recovery allows an adversary to recover a user's master key. It exploits the key connector, a feature used primarily by business customers.
The attack that allows theft of LastPass vaults also targets key escrow, specifically in Teams and Teams 5 versions, when a member's master key is reset by a privileged user known as a superadmin. Several attacks allow reading and modifying shared vaults. When Dashlane users share an item, their client apps sample a new symmetric key. An adversary can provide their own key pair and use the public key to encrypt the ciphertext sent to recipients. The adversary then decrypts that ciphertext with their corresponding secret key to retrieve the shared symmetric key. With that, the adversary can read and modify all shared items. When sharing is used in Bitwarden or LastPass, similar attacks are possible leading to the same consequence. Another avenue for attackers or adversaries with control of a server is to target backward compatibility that all three password managers provide to support less secure versions. Despite incremental changes designed to protect the apps from the very attacks described in the paper, all three password managers continue to support versions without these improvements. This backward compatibility is a deliberate decision intended to prevent users who have not updated from losing access to their vaults.
Sponsored Protocol