Overview
- A peer‑reviewed paper from ETH Zurich and USI published February 16 analyzes Bitwarden, LastPass, Dashlane and 1Password under a malicious‑server threat model.
- The team demonstrated 27 successful scenarios, some enabling full vault compromise or credential tampering, with the largest number of cases affecting Bitwarden.
- Identified weaknesses include unauthenticated public keys and metadata, flawed item‑level encryption, risky account‑recovery and key‑escrow designs, and downgrade paths tied to legacy cryptography.
- Vendors were notified through coordinated disclosure; Dashlane removed legacy cryptography and patched a high‑impact downgrade issue, and Bitwarden and LastPass report active hardening and remediation plans.
- 1Password highlights its high‑entropy secret key and SRP authentication as mitigating factors, and both researchers and vendors say there is no evidence of real‑world exploitation so far.