Researchers find ‘a cornucopia of practical attacks’ on major password managers

A team of security researchers from ETH Zurich and Universita della Svizzera Italiana examined several cloud-based password managers, including LastPass, Bitwarden and Dashlane, and found that zero-knowledge encryption is far from airtight. The paper describes "a cornucopia of practical attacks" and warns that many of the devised attacks allow recovery of the very passwords these services are meant to protect.

The researchers detail how key material generated during actions such as inviting a new member to a shared vault or resetting a forgotten access code is sent to a member’s client, bundled, encrypted locally, and returned to the server. In some implementations the resulting ciphertext lacks proper integrity checks, which could let an attacker swap one key for another and use that to decode the ciphertext, extract a shared vault key, or perform account recovery on a targeted member.

Switzerland, Zurich

password managers, zero-knowledge, lastpass, bitwarden, dashlane, eth zurich, shared vault, encryption, ciphertext, account recovery