TL;DR: A study of Bitwarden, LastPass and DashLane found at least six attack types per product, with Bitwarden exposed to 12, and concluded that some weaknesses are architectural rather than fully fixable, according to Swarmnetics citing ETH Zurich research. Cloud vault convenience changes the trust model, but it does not eliminate the need for stronger secret hygiene and access governance.
NHIMG editorial — based on content published by Swarmnetics: Can Cloud-Based Password Managers Be Trusted? New Study Exposes Concerning Flaws
By the numbers:
- The ETH Zurich study notes that the three password managers it examined collectively have about 60 million users.
- Bitwarden was the worst off of the group at 12.
- Cloud-based password managers have become very popular given that people now tend to juggle well over 100 login credentials.
Questions worth separating out
Q: What breaks when a cloud password manager relies on shared vault access?
A: Shared vault access blurs ownership, revocation, and accountability.
Q: Why do cloud vaults create more risk than offline password storage?
A: Cloud vaults trade isolation for synchronisation and collaboration, which introduces extra trust in client software, recovery flows, and server-side sync.
Q: How do security teams know whether vault controls are actually working?
A: Look for evidence that secrets are owned, rotated, and revoked on schedule, and that shared access is rare and justified.
Practitioner guidance
- Audit shared-vault dependency paths Map where the password manager relies on browser extensions, sync channels, recovery flows, and shared logins, then document which of those paths would expose secrets if a single layer were compromised.
- Separate human and machine secret governance Do not let the same operational rules govern employee passwords, API keys, and service account tokens.
- Retire legacy encryption-dependent workflows Identify vault features that persist only because older clients or compatibility modes require them, then set a deprecation plan for the weakest pathways before attackers can exploit them.
What's in the full article
Swarmnetics' full article covers the technical detail this post intentionally leaves for the source:
- A breakdown of the four attack categories the ETH Zurich study identified across the tested password managers.
- Product-specific vulnerability counts, including which of the three tools fared worst under the test conditions.
- The distinction between zero-knowledge marketing claims and the actual encryption and trust model used in practice.
- The researchers' remediation timeline and which issues they considered architectural rather than easily patchable.
👉 Read Swarmnetics' analysis of cloud password manager trust gaps and structural flaws →
Cloud password managers: are vault trust assumptions holding up?
Explore further
Cloud vault convenience is now a governance problem, not just a consumer feature. The article shows that the security model for cloud password managers depends on trust spread across clients, sync services, and user behaviour. That is a governance issue because the attack surface expands every time a tool is designed to be portable, collaborative, and always available. For IAM teams, the right question is not whether the vault encrypts data, but where the trust boundary actually sits.
A question worth separating out:
Q: Who is accountable when a password manager vulnerability exposes credentials?
A: Accountability is shared, but not evenly. The vendor is accountable for architectural and software flaws, while the organisation remains responsible for how secrets are stored, shared, and monitored. In practice, IAM and security teams must own the risk acceptance decision for any vault workflow that depends on legacy behaviour or broad sharing.
👉 Read our full editorial: Cloud password managers expose structural vault trust gaps