News + Trends
New tools for old problems: Weak Windows passwords in our sights
by Florian Bodoky
Password manager: ETH Zurich uncovers security gaps
17.2.2026
Translation: machine translated
An analysis by ETH Zurich shows that cloud password managers such as Bitwarden and LastPass are sometimes more vulnerable than advertised.
Researchers at ETH Zurich have analysed several well-known password managers in more detail - and found significant vulnerabilities. The cloud-based services «Bitwarden», «LastPass» and «Dashlane» were tested. The result: the promised security does not live up to its promise in all respects.
What exactly do password managers do?
Password managers store access data in a digital encrypted vault, so to speak. You log in with a master password and can thus access all stored logins. Many services synchronise the data via the cloud so that it is available on your smartphone, laptop or tablet.
Zero-Knowledge a false promise?
The suppliers advertise with the so-called zero-knowledge principle. This means that only the users themselves should be able to decrypt their passwords - the suppliers themselves are also kept out of the loop. In theory, this sounds promising.
However, the ETH analysis shows that this does not always work: In several tests, they managed to circumvent protection mechanisms or derive sensitive information. To do this, they deliberately manipulated the communication between the programme and server or simulated a compromised server.
In one case, the software accepted insecure encryption settings because the server adapted its responses accordingly. In other cases, additional information (so-called metadata) was used to draw conclusions about stored content. The actual encryption was still there, but the entire system had vulnerabilities that could be exploited. According to the research team, they informed the affected companies at an early stage. Some suppliers had already made adjustments before the study was made public.
A new analysis tool was also developed as part of the study. This can be used to systematically check cryptographic processes in cloud-based password managers. The researchers made the tool, called ZK-AE-Tester, available via the platform zkae.io. Developers can use it to test whether their systems have similar vulnerabilities. In this way, the ETH researchers want to facilitate independent testing and increase transparency.
Suppliers vow to improve
The companies emphasised that they are constantly working on improvements at «» . Some of the reported problems have already been fixed, while others are still being investigated. The ETH researchers point out that their attacks took place under controlled conditions. A real attack would require additional prerequisites, such as access to servers or the ability to modify data traffic in a targeted manner. However, this does not change the hypothetical possibility of such attacks.
Header image: Shutterstock
I've been tinkering with digital networks ever since I found out how to activate both telephone channels on the ISDN card for greater bandwidth. As for the analogue variety, I've been doing that since I learned to talk. Though Winterthur is my adoptive home city, my heart still bleeds red and blue.
News + Trends
From the latest iPhone to the return of 80s fashion. The editorial team will help you make sense of it all.
Show allThese articles might also interest you
6 comments
later