A collaborative study from ETH Zurich and USI found 27 vulnerabilities across four popular password managers, signaling potential risks to user credential security.

Vault encryption flaws were observed, including cases where vault contents aren’t encrypted as a single block and where related information remains unencrypted, affecting LastPass, Bitwarden, and Dashlane.

The affected managers are Bitwarden, LastPass, Dashlane, and 1Password, with dozens of specific attacks reported and more than 60 million users and about 125,000 businesses exposed.

Vulnerabilities span four categories: key escrow, vault encryption, sharing features, and backwards compatibility.

Researchers note that remediation is underway and several flaws have already been patched, but the findings suggest password managers may be less secure than previously believed.

Key escrow flaws could let attackers manipulate account recovery and access encryption keys with partial authentication, potentially compromising vault access for Bitwarden and LastPass.

The work from ETH Zurich and USI underscores the ongoing need for secure design in password managers and prompt patching of discovered flaws.