Your password manager has a master key problem
You probably did the right thing. You signed up for a password manager, created a strong master password, and assumed the vault protecting your digital life was airtight. Researchers at ETH Zurich just proved it is not.
In February 2026, a team from ETH Zurich and Università della Svizzera italiana published findings that should concern every password manager user. They discovered 25 distinct attack vectors across Bitwarden, LastPass, and Dashlane, the three services protecting roughly 60 million users. The attacks ranged from reading stored passwords to compromising every vault in an organization.
The study’s title says it plainly: “Zero Knowledge (About) Encryption.” These companies market zero-knowledge architecture, promising they cannot access your data. Under a malicious server scenario, that promise collapsed.
Your master password is the weakest link in password manager security
Every credential in your vault is only as secure as one single secret: your master password. If an attacker gains server-side access, the Verizon 2025 DBIR found that only 3% of compromised passwords met basic complexity requirements. The ETH Zurich team showed that KDF iteration downgrades could accelerate brute-force attacks by up to 300,000 times.
A master password that would take centuries to crack under normal conditions might fall in hours once server-side protections are weakened.
The credential crisis keeps growing. SpyCloud reported that 2.8 billion passwords appeared on criminal platforms in 2024 alone. When 54% of ransomware victims already had credentials in infostealer logs before the attack, the pattern is clear: attackers are not breaking down doors. They are using keys that already exist, including stolen credentials your security tools miss.
The transition gap where hackers feast
Passkeys were supposed to fix this. Biometric authentication tied to your device, no shared secrets, no phishable passwords. Dashlane’s 2025 report showed passkey authentications doubled in one year, with Google seeing a 352% increase after making passkeys default.
But only 36% of American adults use any password manager at all. Among non-users, 37% say they do not need one. The gap between “passkeys exist” and “passkeys protect you” is enormous, and that is precisely where breaches that bypass password managers entirely concentrate.
Even organizations with passkeys face a hybrid problem. Regulated industries still depend on legacy systems. The Verizon DBIR found that 88% of basic web application attacks still involve stolen credentials. Attackers do not care about your passkey-enabled Google account if your health insurance portal still accepts “Winter2025!” as a valid login.
What your password manager cannot protect against
The ETH Zurich findings revealed something security advice ignores: convenience features are the enemy of encryption. Password recovery, account sharing, and backwards compatibility each expanded the attack surface in ways zero-knowledge marketing never disclosed.
This matters because the daily cybersecurity shortcuts that compound risk go beyond weak passwords. They include trusting architecture that was never as secure as advertised. Since passkeys already outperform passwords in every metric, the question is not whether the transition will happen, but how many breaches will occur during the gap.
What to do before passkeys replace everything
Treat your master password like it is already compromised. Enable the strongest KDF settings your password manager offers (Argon2id if available, or PBKDF2 with at least 600,000 iterations). Activate passkeys on every service that supports them, starting with email and banking. Check whether your credentials already appear in infostealer databases using Have I Been Pwned.
The uncomfortable truth is that Big Tech is quietly killing passwords not out of generosity, but because the current system fails too often. The 25 vulnerabilities ETH Zurich found are not bugs. They are the predictable result of bolting modern convenience onto decades-old password architecture.
Your password manager is better than no password manager. But if you think it makes you safe, you are exactly the kind of user attackers count on.
Related Reading:
Sources and References
- ETH Zurich — Researchers discovered 25 distinct attack vectors across Bitwarden, LastPass, and Dashlane, affecting 60 million users.
- Verizon DBIR 2025 — Only 3% of compromised passwords met basic complexity requirements, and 88% of basic web application attacks involved stolen credentials.
- SpyCloud / Verizon DBIR — 2.8 billion passwords appeared on criminal platforms in 2024. 54% of ransomware victims had credentials in infostealer logs.
- Security.org — Only 36% of US adults use a password manager (94 million users).
- Dashlane — Passkey authentications doubled in one year. Google saw 352% increase after making passkeys default.
Read about our editorial standards →
