Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers

A cryptographic security research paper analyzing three major cloud-based password managers — Bitwarden, LastPass, and Dashlane — that collectively serve 60+ million users. The researchers examine whether these vendors' 'Zero Knowledge Encryption' claims hold up against a fully malicious server threat model. They uncover 12 attacks against Bitwarden, 7 against LastPass, and 6 against Dashlane, ranging from vault integrity violations to complete organizational vault compromise, with most attacks enabling password recovery. The paper identifies common design anti-patterns and cryptographic misconceptions, discusses mitigations, and offers broader lessons for developers of end-to-end encrypted systems. Findings have been disclosed to vendors and remediation is underway. Published at USENIX Security '26.