By NHI Mgmt Group Editorial TeamPublished 2026-02-16Domain: Best PracticesSource: Bitwarden

TL;DR: ETH Zurich’s audit tested ten cryptographic attack scenarios against a fully malicious server model and found issues that were either resolved, in remediation, or accepted as intentional design decisions, according to Bitwarden. The result reinforces that password security still depends on explicit trust assumptions, not just encrypted storage.


At a glance

What this is: This is Bitwarden’s summary of an ETH Zurich cryptography audit that stress-tested password manager behavior under a fully malicious server model and found issues already addressed or intentionally accepted.

Why it matters: It matters because IAM teams still have to design for trust boundaries, key handling, and recovery assumptions even when a product uses zero-knowledge and strong encryption.

👉 Read Bitwarden's cryptography audit summary and malicious server analysis


Context

Password security is not only about storing secrets in encrypted form. It is also about what happens when the server, recovery path, or verification layer is no longer trustworthy. This article uses a third-party cryptography audit to examine those assumptions in a password manager context.

For IAM and NHI practitioners, the interesting part is not the product branding but the threat model. A fully malicious server test surfaces where zero-knowledge architecture protects users and where governance still depends on explicit trust boundaries, reviewable cryptographic design, and disciplined incident response.


Key questions

Q: What does a fully malicious server threat model reveal in a password manager audit?

A: It reveals whether the product still protects secrets when the backend can behave arbitrarily. That test surfaces hidden dependencies in recovery, synchronization, and protocol design that normal encryption claims can miss. For practitioners, the key question is not only whether data is encrypted, but whether the trust model remains valid if the server is compromised.

Q: How should security teams evaluate zero-knowledge claims in identity and secrets tools?

A: They should evaluate the full protocol, not just the storage layer. Zero-knowledge may limit provider access to secret material, but it does not automatically cover metadata, key handling, recovery flows, or implementation flaws. Teams should ask which trust assumptions remain and whether those assumptions are documented, tested, and independently reviewed.

Q: When does an independent cryptography audit become operationally useful?

A: It becomes operationally useful when findings are translated into remediation evidence, design decisions, or formal exceptions with owners. An audit that produces no tracked closure does not improve governance. The best use of external review is to turn cryptographic findings into measurable control updates that security and IAM teams can verify.

Q: What should IAM teams do after a password platform audit finds issues?

A: They should reassess the platform’s trust assumptions, confirm which issues were fixed, and decide whether any residual risk affects authentication, secrets handling, or recovery workflows. If the platform is part of a broader identity stack, teams should also check whether related lifecycle and access review controls need updated oversight.


Technical breakdown

What a fully malicious server threat model actually tests

A fully malicious server model assumes the backend can deviate arbitrarily from expected behaviour, including serving altered responses, manipulating state, or attempting to weaken cryptographic guarantees. That is a stricter test than ordinary perimeter compromise because it asks whether the client-side design still protects secrets when server trust is gone. In password systems, this matters because authentication, vault access, and recovery flows often depend on server participation even when content encryption is end to end. Practical implication: validate which parts of your identity architecture still depend on a trusted server path.

Practical implication: document the trust assumptions that remain after encryption is applied.

Zero-knowledge encryption and where it can still fail

Zero-knowledge encryption means the provider should not be able to read stored secret material in normal operation. But zero-knowledge does not eliminate all failure modes, because metadata, key derivation paths, client-server coordination, and implementation details can still create exposure. The audit’s value lies in showing that cryptography must be evaluated as a system, not as a slogan. Even when the server cannot decrypt secrets, the protocol can still leak security through weak edge cases, bad assumptions, or design trade-offs accepted for functionality. Practical implication: assess the whole protocol, not only ciphertext at rest.

Practical implication: review key derivation, recovery, and synchronization as part of the control design.

Third-party cryptography audits as a governance control

Independent cryptography review is a governance mechanism, not a marketing signal. It helps validate claims, identify edge cases before attackers do, and establish whether reported issues are fixed, accepted, or still outstanding. For identity teams, the real lesson is that assurance improves when the product exposes its design to scrutiny and when findings are tracked to closure. That is especially relevant for secrets and password platforms, where a hidden flaw can become a systemic access problem. Practical implication: require auditable remediation evidence, not just audit participation.

Practical implication: use external review results to drive control exceptions, remediation tracking, and revalidation.


NHI Mgmt Group analysis

Open-source cryptography changes the assurance model, but it does not eliminate the need for trust boundaries. The article shows why third-party review is valuable: public code enables deeper verification than closed systems can usually support. That said, an audit only proves strength within the tested model, not universal immunity. Practitioners should treat transparency as a governance input, not as a substitute for ongoing validation.

Zero-knowledge encryption is a storage property, not a complete identity security model. The report focuses on cryptographic operations under a malicious server scenario, which is exactly where assumptions about trust, recovery, and coordination become visible. A platform can protect stored secrets and still leave room for failure in key handling, protocol edges, or implementation decisions. The practitioner conclusion is to separate data confidentiality claims from full control assurance.

Third-party audits matter most when they produce remediation evidence, not just confidence. Bitwarden states that all issues identified were addressed, which is the right operational outcome to measure. In governance terms, the useful question is whether findings were converted into tracked fixes, accepted design decisions, or risk exceptions with owners. The implication is that audit quality should be judged by closure discipline, not by the prestige of the reviewer alone.

Trusted open source architecture creates a stronger assurance loop for secrets management than opaque security claims do. Public review, reproducible testing, and community scrutiny make hidden cryptographic weaknesses harder to ignore. But the loop only works when teams can map findings back to lifecycle controls such as review, validation, and re-assessment. Practitioners should prefer architectures that can be inspected and governed, not merely described.

Secret protection and identity governance are converging around the same question: what still remains trusted when a control layer fails? That question applies to password managers, service accounts, and other NHI patterns alike. The common failure mode is not simply breach exposure, but unmanaged assumptions about who or what can still be trusted after the system is challenged. Teams should treat those assumptions as first-class governance objects.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
  • For a broader governance lens, read NHI Lifecycle Management Guide for how provisioning, rotation, and offboarding affect exposure windows.

What this signals

Ephemeral assurance is becoming the real governance test: security teams should assume that proof of encryption is not proof of resilience. The practical signal is whether review, recovery, and exception handling still work when a server, vault, or coordination layer can no longer be trusted.

The gap between confidence and control is already visible in secrets operations, where remediation lags can outlast attacker dwell time. Teams that rely on open-source transparency should pair it with lifecycle discipline and external review, anchored in resources such as the NHI Lifecycle Management Guide and the NIST Cybersecurity Framework 2.0.

For programmes managing both human and machine access, the signal is broader than password storage. A platform can be cryptographically strong and still leave unresolved governance questions about recovery, trust revocation, and the point at which a control should be revalidated rather than assumed.


For practitioners

  • Document server trust assumptions Map which authentication, vault access, and recovery flows still depend on a trusted backend, then record how those dependencies behave if the server is compromised.
  • Separate encryption claims from assurance claims Review whether zero-knowledge, end-to-end encryption, and client-side controls actually cover recovery, metadata exposure, and protocol edge cases.
  • Require remediation closure evidence Track audit findings to documented fixes, accepted design decisions, or formal risk exceptions with named owners and revalidation dates.
  • Use audit results to reset review cycles Reassess password and secrets platforms after cryptography findings, especially where the control design depends on third-party verification or open-source review.

Key takeaways

  • This audit shows that strong cryptography still depends on explicit trust boundaries and reviewable implementation choices.
  • The useful evidence is not only the encrypted design, but that ten attacks were tested and the identified issues were addressed or intentionally accepted.
  • Security teams should treat third-party cryptography audits as a governance input that must be converted into remediation tracking and revalidation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03Covers secret protection and lifecycle controls relevant to password and vault systems.
NIST CSF 2.0PR.AC-1Identity proofing and trust boundaries matter when backend compromise is in scope.
NIST Zero Trust (SP 800-207)SC-3Zero trust principles apply when a server can no longer be assumed trustworthy.

Treat malicious-server assumptions as a prompt to revalidate trust boundaries and cryptographic dependencies.


Key terms

  • Zero-knowledge encryption: An encryption model in which the provider should not be able to read protected secret material during normal operation. The security value depends on implementation details, recovery flows, and client-side key handling, not just on whether data is encrypted before storage.
  • Malicious server threat model: A test scenario that assumes the backend may behave arbitrarily, including attempting to alter responses or weaken protocol guarantees. It is used to check whether cryptographic protections still hold when server trust cannot be assumed.
  • Cryptography audit: An independent review of cryptographic design, implementation, and protocol behaviour. In practice, it is used to validate claims, uncover edge cases, and confirm whether security findings were fixed, accepted, or left open.

What's in the full report

Bitwarden's full article covers the operational detail this post intentionally leaves for the source:

  • The full cryptography report explains the ten tested attack scenarios and how ETH Zurich classified each issue.
  • It includes the specific remediation status for the resolved and in-remediation findings, which is useful for implementation teams.
  • It outlines the malicious server threat model used during testing, which matters if you need to compare audit scope against your own architecture.
  • It provides the transparency context around open-source review and why the codebase was suitable for third-party cryptographic analysis.

👉 Bitwarden's full post includes the audit scope, issue status, and cryptography report link.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org