Bitwarden, Dashlane, and LastPass Totally Can’t Read Your Passwords … Wink

Zero Knowledge* (TM) of Your Managed Passwords

Today would be a good day to discuss how Microsoft’s Copilot has been ‘accidentally’ reading your confidential emails, completely destroying your compliance with your company’s DLP agreements with clients, but as this is 2026 that news now comes in second place.

Instead, it’s the news that a number of apps you trust with keeping your passwords such as Bitwarden, Dashlane, and LastPass can read your passwords if they so chose.  The good news, such as it is, is that it takes a bit of effort for them to do so, the passwords are not available for employee’s perusal at their leisure.  The problem is that security researchers have determined that someone with control over one of these servers, either an authorized employee or someone that managed to compromise one of these servers remotely “can, in fact, steal data and, in some cases, entire vaults.“

Even if the data is encrypted, these researchers also found attacks which would allow an attacker to weaken the encryption to the point that your passwords can be read as plain text.  Ironically, one of the identified attacks can only succeed if you are asked to change your master key by one of these password manager apps.  If you are worried about your security, or are notified that you should change it because of a breach, that change can be leveraged to gain access to your new master key.  It seems that while these companies authenticate just about every interaction with your password vault, if you use the browser extension to make the change, requests to change your superadmin keys are not authenticated.

If you use the stand alone apps you are somewhat more protected, but not perfectly.  You can read about how these compromises can occur in depth at Ars Technica.
_{* Zero in this case may not be completely accurate.}