February 21, 2026
Zero‑knowledge, zero chill
Password managers less secure than promised
ETH study rattles Bitwarden, LastPass, Dashlane — “Go offline!” vs “Calm down”
TLDR: ETH Zurich says it found ways to view and even change passwords in three big cloud managers by simulating a hacked server. Commenters split: offline diehards gloat, pragmatists say nothing online is truly safe, and skeptics want details before panic — all while millions rely on these tools daily.
The “unbreakable” password vault myth just took a hit — and the internet is loud about it. Researchers at ETH Zurich say they poked holes in three big cloud password managers — Bitwarden, LastPass, and Dashlane — by simulating a hacked company server and, in many cases, viewing and even changing stored passwords. That’s a serious wobble for the glossy promise of “zero‑knowledge” encryption (meaning even the provider allegedly can’t see your stuff). Cue the comments section turning into a full‑blown family feud.
The offline crowd is victory‑lapping: one user crowned, “Offline vault > online vault,” with the KeePass faithful waving their USB sticks like championship rings. The DIY brigade flexed even harder: “I use an encrypted text file and Emacs,” basically the security version of, “I churn my own butter.” Then came the cynics: “Eventually, everything is less secure than promised,” translating to: if it touches the internet, it gets spicy. Meanwhile, the skeptics pumped the brakes: “We’ll see when the attacks are public,” warning against panic until we get full technical receipts. And yes, the inevitable question hit fast: what about 1Password? No word yet — but the pitchforks are polished.
Bottom line: millions trust these tools, and an ETH team claims a dozen‑plus ways to mess with them under a hacked‑server scenario. The vibe? Equal parts told‑you‑so, doomer cool, and wait‑for‑the‑paper — with memes sharpening every side.
Key Points
- •ETH Zurich researchers found vulnerabilities in Bitwarden, LastPass, and Dashlane enabling password viewing and modification.
- •The study used a malicious server threat model, simulating compromised provider servers interacting with clients.
- •They demonstrated 12 attacks on Bitwarden, 7 on LastPass, and 6 on Dashlane.
- •Attacks ranged from targeted vault integrity violations to full organizational vault compromise, triggered by routine user actions.
- •Findings challenge providers’ “zero-knowledge encryption” assurances; researchers note limited scrutiny of commercial end-to-end encryption.