DigiNews

Summary

Ars Technica reports on new research showing that 'zero-knowledge' promises from Bitwarden, Dashlane, LastPass, and others may not hold if a server is compromised or when account recovery features are enabled. The ETH Zurich and USI Lugano study details several attack paths, including exploiting group keys during enrollment, vault key rotation, and backward-compatible older crypto; some attackers could read or even modify entire vaults. Vendors emphasize audits and patches, but the article cautions users to consider defense-in-depth and careful feature configurations in business environments.