Password manager extensions reviewed: what ETH Zurich's 25-attack study means for your vault
ETH Zurich researchers broke zero-knowledge promises in Bitwarden, LastPass, and Dashlane with 25 attacks. Here's which password manager held up best.
Your password manager extension promises that nobody — not even their own servers — can read your passwords. That's the whole "zero-knowledge encryption" pitch, and it's the main reason you trust these extensions with every credential you own.
A research team from ETH Zurich just proved that promise wrong for three out of four major password managers. They found 25 successful attack scenarios across Bitwarden, LastPass, and Dashlane — and the findings affect roughly 60 million users.
I went through the full paper so you don't have to. Here's what actually matters.
See also: Bitwarden vs 1Password extension review — a complementary look at polymorphic UI spoofing attacks that target the browser extension itself, not the server-side crypto.
The quick verdict
- Bitwarden: 12 attacks found, 7 leading to direct password disclosure. Worst performer in the study.
- LastPass: 7 attacks found, 3 enabling password disclosure. Full vault compromise achieved.
- Dashlane: 6 attacks found, but only 1 password disclosure. Best of the three vulnerable managers.
- 1Password: Only 2 viable attacks identified. Its secret key architecture held up.
If you want the one-line answer: 1Password's design survived this study. If you're on Bitwarden or LastPass, keep reading — there are specific things you should do right now.
What the researchers actually tested
The paper — Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers — was accepted at USENIX Security 2026, one of the top academic security venues. The team from ETH Zurich and Università della Svizzera italiana tested a specific scenario: what happens when an attacker compromises the password manager's server?
Before you dismiss that as unlikely — LastPass's servers were breached in 2022, and encrypted vault data was actually stolen. This is a real threat model, not an academic exercise.
According to lead researcher Matilda Backendal: "The promise is that even if someone accesses the server, data remains encrypted and unreadable. We've shown this isn't true."
The attacks broke down into four categories: recovery feature abuse (key escrow), vault encryption integrity violations, unauthenticated public keys in sharing features, and downgrade attacks exploiting legacy encryption support.
Here's what made my stomach drop: most attacks required nothing unusual from users. Just logging in, opening your vault, viewing a password, or syncing data. You do all of that every day without a second thought.
Bitwarden: 12 attacks, most exposed
Bitwarden took the hardest hit. The ETH Zurich researchers found 12 successful attack scenarios, and 7 of those led to direct password disclosure — meaning an attacker who controlled the server could read your actual passwords in plaintext.
The core weaknesses included vault encryption integrity issues and flawed key recovery handling. The researchers demonstrated full vault compromise.
Following the 90-day responsible disclosure process, Bitwarden resolved 7 of the identified issues, according to the study. That responsiveness is genuinely positive — and the fact that Bitwarden is open-source means the community can verify these fixes. But shipping a "zero-knowledge" product for years with these flaws is a hard pill to swallow.
If you're a Bitwarden user: update your extension immediately and verify your account uses the latest encryption scheme. You can also check what permissions the Bitwarden extension requests on the Extenshi catalog.
LastPass: 7 attacks, a familiar pattern
LastPass had 7 attack scenarios, with 3 enabling password disclosure. Like Bitwarden, full vault compromise was achievable for a server-side attacker.
The researchers identified backwards-compatibility problems — LastPass maintained support for older, weaker encryption to avoid breaking existing users' vaults. This created downgrade attack vectors where a malicious server could push your vault back to a weaker encryption format.
Given LastPass's history, this is concerning. If your encrypted vault data was part of the 2022 breach and you didn't change your master password and re-encrypt everything, these findings raise the stakes. According to The Register's coverage, LastPass implemented hardening measures in response to the ETH Zurich disclosure.
My honest take: if you've been on LastPass since before 2023, I'd export your vault and consider moving. The combination of a known breach plus architectural weaknesses documented in a peer-reviewed study is not a combination I'd be comfortable with.
Dashlane: 6 attacks, better foundations
Dashlane performed the best among the three vulnerable managers. The study found 6 attacks but only 1 led to password disclosure. The researchers achieved shared vault compromise but couldn't easily crack individual vaults the way they could with Bitwarden or LastPass.
Dashlane's architecture made several attack categories harder to execute. In response to the disclosure, Dashlane removed legacy cryptographic support entirely — which is exactly the right call, even if it means some older clients need forced updates.
Six attacks against a "zero-knowledge" product is still six too many. But Dashlane's faster, more decisive response gives me more confidence in their security engineering culture.
1Password: the architecture that actually worked
Here's the standout. The researchers analyzed 1Password separately and found only 2 viable attack scenarios — dramatically fewer than the competition.
The difference? 1Password requires a "secret key" — a high-entropy random value generated on your device and combined with your master password. Even if an attacker fully controls the server AND knows your master password, they still can't decrypt your vault without that device-bound secret key.
As Professor Kenneth Paterson from ETH Zurich noted: "Since end-to-end encryption is still relatively new in commercial services, it seems that no one had ever examined it in detail before."
The secret key creates real friction — you need to store it safely somewhere for account recovery. But this study shows that friction translates directly into genuine security. Architecture decisions matter more than marketing labels.
What you should do now
Here's my breakdown based on the ETH Zurich findings:
Choosing a password manager today? 1Password has the strongest architectural foundation according to this study. Its secret key design directly addresses the threat model that broke the other three.
Already on Bitwarden? Update immediately. Bitwarden patched 7 issues and their open-source transparency is a real advantage. It's still strong at its price point — just make sure you're on the latest encryption scheme.
Already on LastPass? Seriously consider migrating. A past server breach plus peer-reviewed architectural weaknesses is a combination that warrants switching. If you stay, verify that legacy encryption formats are fully disabled on your account.
Already on Dashlane? Update and confirm legacy crypto removal is active. Dashlane showed the strongest design among the affected managers and responded decisively.
Regardless of which you use:
- Enable multi-factor authentication on your password manager account
- Use a strong, unique master password (this was true before and is even more true now)
- Keep the extension updated — all vendors have released patches for these specific vulnerabilities
- Review your password manager's permissions on the Extenshi catalog — even security-focused extensions deserve scrutiny
The bigger picture
This study confirms something I keep circling back to: the extensions you trust the most deserve the closest look. Password manager extensions have access to every form field on every page you visit. They're the highest-privilege extensions in your browser, and they handle your most sensitive data.
"Zero-knowledge encryption" sounds reassuring in a marketing page. But the ETH Zurich team showed that what matters is the actual cryptographic architecture — recovery features, backwards compatibility, key management. One extra design element (1Password's secret key) made the difference between 12 attacks and 2.
The vendors responded to responsible disclosure, and that's how the system should work. But as users, we shouldn't have needed a USENIX paper to learn that "zero-knowledge" didn't mean what we thought it meant.
Want to see the full permission breakdown for your password manager extension? See security report →
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
Password manager extensions reviewed: Bitwarden vs 1Password security score, spoofing risks & alternatives
Bitwarden and 1Password extension security review 2026: permissions, privacy scores, and SquareX's polymorphic spoofing attack that Chrome can't patch.
Man-in-the-prompt attacks: how to stop browser extensions from hijacking your AI conversations
Any browser extension can silently inject commands into ChatGPT, Gemini, and Claude. Here's how man-in-the-prompt attacks work and how to stay safe.
300+ malicious Chrome extensions with 37 million downloads: how to check if you're affected
Security researchers exposed 300+ malicious Chrome extensions with 37.4M downloads stealing data, credentials, and emails. Here's how to protect yourself.