Recent academic work has revealed currently exploitable critical security flaws in all of the biggest password managers like Bitwarden, LastPass, and Dashlane. These platforms provide services to more than 60 million users and almost 125,000 businesses. We show that they are still susceptible to password recovery attack if certain conditions hold. The study conducted by researchers Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson highlights a disturbing trend in cloud password management security.
The researchers identified a total of 25 distinct attacks: 12 targeting Bitwarden, 7 against LastPass, and 6 aimed at Dashlane. These attacks have a nationwide breadth. This might undermine the integrity of individual user vaults, which constitutes a violation of their integrity, or they can directly violate every vault tied to an organization. This disclosure calls into question the state of security protections in these popular applications.
Attack Mechanisms and Vulnerabilities
These attacks mostly target the “Key Escrow” account recovery mechanism. This is how both Bitwarden and LastPass operate, leaving both at risk. This design flaw undermines the confidentiality guarantees that users have come to rely on these services for. The researchers noted,
“Despite vendors’ attempts to achieve security in this setting, we uncover several common design anti-patterns and cryptographic misconceptions that resulted in vulnerabilities.” – Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson
Of the vulnerabilities found, seven of the exploit attempts against Bitwarden have currently been fixed or are in the process of being remediated. Bitwarden has stated,
“Seven of which have been resolved or are in active remediation by the Bitwarden team.”
Compared to the other three issues, this one was fully accepted as an intentional design decision required for the product to perform its needed functionality.
Dashlane’s security issues arise in part due to its lack of support for legacy code, leaving it at risk of downgrade attacks. The company has taken this pain point seriously. Then in November of 2025, they released Dashlane Extension version 6.2544.1, completely dropping support for legacy cryptographic methods. Dashlane stated that
“This downgrade could result in the compromise of a weak or easily guessable Master Password, and the compromise of individual ‘downgraded’ vault items.”
Organizational Response and Future Safeguards
In light of these findings, LastPass has committed to improving its admin password reset and sharing workflows. These improvements are intended to reduce the risk of bad-faith intermediaries who may take advantage of systemic flaws to harm the system. The researchers emphasized that the severity of the attacks varies widely:
“The attacks range in severity from integrity violations to the complete compromise of all vaults in an organization.” – Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth G. Paterson
Bitwarden has further committed to remediating all discovered issues as a priority. Jacob DePriest, a representative from Bitwarden, remarked on their dedication to enhancing security measures:
“We are committed to continually strengthening our security architecture and evaluating it against advanced threat models, including malicious-server scenarios like those described in the research, and evolving it over time to maintain the protections our users rely on.”
Comparisons with Other Password Managers
Bitwarden, LastPass, and Dashlane are jostling back and forth now with these weaknesses. In comparison, 1Password’s security team thoroughly reviewed the arXiv research paper and unequivocally concluded that no exploitable new attack vectors were introduced, other than what’s already detailed in their published Security Design White Paper. This indicates that 1Password has truly cracked the secret to building strong security practices that protects it from these types of vulnerabilities.
For these reasons, more users are turning to cloud-based password management solutions to enhance security while increasing convenience. Given this trend, the implications of this study are great. As always, users of all services should be mindful of security and stay educated on security practices for any services that they depend on.
“For example, 1Password uses Secure Remote Password (SRP) to authenticate users without transmitting encryption keys to our servers, helping mitigate entire classes of server-side attacks.”
As more users turn to cloud-based password management solutions for enhanced security and convenience, the implications of this study are profound. Users must remain vigilant about the security practices of the services they rely on.
