For years, the golden rule of digital safety has been: Use a password manager. These services promise “zero-knowledge encryption,” a fancy way of saying that even if the company is hacked, your passwords remain scrambled and unreadable to everyone, including the company itself.

However, a new study from researchers at ETH Zurich, a world-renowned public research university in Switzerland and the University of Italian Switzerland (USI) has thrown a wrench into that promise. They discovered that the “vaults” we use to store our digital lives aren’t as ironclad as advertised when faced with a sophisticated attack.

Here is a breakdown of what was found and what it means for you.

The Discovery: 27 Ways to Break In

Researchers tested four of the biggest names in the industry: “Bitwarden”, “LastPass”, “Dashlane”, and “1Password”. By simulating a “malicious server” (an attack where a hacker has already taken control of the password manager’s main computers), they found 27 different ways to steal or manipulate user data.

The most shocking part? These attacks didn’t require a master hacker to bypass your master password. Instead, they exploited the everyday things you do, like:

• Logging in to your account.
• Syncing your data between your phone and laptop.
• Sharing a password with a family member or coworker.

What Exactly is the “Vulnerability”?

To understand the flaw, think of your password manager like a high-tech safe in a bank.

• The Promise: The bank (the Cloud service) says they don’t have the key to your safe. If a robber breaks into the bank, your safe stays locked.
• The Reality: The researchers found that while the bank doesn’t have your key, they do control the room the safe is in. By “tampering with the room,” a hacker who controls the server can trick your computer into handing over the key or revealing what’s inside the safe the next time you go to open it.

How Each Service Fared

• Bitwarden: Faced the most identified scenarios (12), including “total vault compromise” in some cases. Bitwarden has already patched many of these and stated others were “intentional design decisions” for certain features.
• LastPass: Faced 7 scenarios. Researchers found issues with how it handles account recovery and “sharing” features. LastPass is currently working on strengthening these “integrity guarantees.”
• Dashlane: Faced 6 scenarios. One major issue involved “legacy” code—older parts of the app that were less secure but kept around for compatibility. Dashlane has since removed this old code to fix the problem.
• 1Password: While also analyzed, 1Password was found to be more resilient due to its “Secret Key” (an extra 34-character code you have to enter). However, it still had vulnerabilities related to how it shares passwords between users.

Should You Stop Using Password Managers?

In short: No.

Every security expert, including the researchers at ETH Zurich, still recommends using a password manager. Even with these flaws, using a manager is infinitely safer than reusing the same weak password across 50 different websites.

The researchers noted that these attacks are “sophisticated” and require a hacker to first take over the password manager’s entire infrastructure, which is much harder than guessing a simple password like “123456.”

What You Should Do Now

1. Update Your Apps: The companies were notified 90 days before this report went public. Most have already released patches. Make sure your password manager app and browser extensions are up to date.
2. Enable Two-Factor Authentication (2FA): Use a physical security key (like a YubiKey) or an app (like Google Authenticator) for your password manager. This adds a layer that even a “malicious server” struggles to bypass.
3. Review Shared Items: If you share folders with others, be mindful that “sharing” is where many of these security gaps were found. Only share what is absolutely necessary.
4. Stay Calm: This research is a “wake-up call” for the industry to move from “marketing-speak” zero-knowledge to “mathematically-proven” zero-knowledge. For now, the average user is still better off with a manager than without one.