← All articles Digital security

Researchers Just Proved Your Password Manager Can Be "Fully Compromised"

Zack van Zyl·8 July 2026·3 min read
Researchers Just Proved Your Password Manager Can Be "Fully Compromised"

What went wrong

The vulnerabilities aren't the result of sloppy coding. They're architectural. The researchers identified three categories of weakness:

1. Key escrow recovery mechanisms

Both Bitwarden and LastPass offer account recovery features that, by design, create a secondary path to your vault. The researchers exploited flaws in these recovery designs to bypass the primary encryption entirely.

2. Item-level encryption flaws

Rather than encrypting the entire vault as a single sealed unit, these managers encrypt individual items separately — often leaving metadata unencrypted or unauthenticated. This allowed the researchers to swap fields between entries, leak metadata, and downgrade the key derivation function protecting the vault.

3. Sharing feature exploits

The ability to share passwords with others introduced additional attack surfaces. Through sharing mechanisms, the researchers compromised vault integrity and confidentiality.

The vendors have been notified and have rolled out patches for some of the issues. But as Dashlane acknowledged, certain findings require "either specific circumstances and/or an extremely significant window of time" — which is vendor-speak for "we can't fully fix this."


Why this matters for your digital estate

Here's the uncomfortable question nobody's asking: if your password manager is your estate plan, what happens when it's compromised?

Millions of Australians are using password managers as their de facto digital estate plan. "My family knows my master password" or "it's in the safe" — that's the extent of the planning.

But a password manager, even an uncompromised one, only solves one narrow problem: storing credentials you remember to add.

It doesn't:

  • Discover the accounts you've forgotten
  • Verify your inventory is complete
  • Provide legal authority for your executor to access anything
  • Protect against the password manager itself being compromised, discontinued, or locked out

And now we know it doesn't even guarantee the security it promises.


The difference between a tool and a plan

A password manager is a tool. A good one. We recommend using one.

But a tool is not a plan.

A Digital Directive is a plan. It's a professional, verified inventory of your entire digital life — not just the accounts you remembered to save. It includes documented authority for your chosen executor, secure credential storage that doesn't depend on a single vendor's architecture, and a verified handover process.

Your password manager stores keys. A Digital Directive is the map, the keys, and the authority to use them.


What to do right now

  1. Update your password manager. Make sure you're running the latest version — the ETH Zurich vulnerabilities have partial patches available.
  2. Enable hardware-based MFA on your password manager account. Not SMS. Not TOTP if you can avoid it. A hardware security key.
  3. Audit what's actually in your vault. If you can't find every account you've ever created, your vault is incomplete — and incomplete is the same as unprepared.
  4. Think beyond the tool. Ask yourself: if something happened to me tomorrow, could my family actually access and manage my digital life? If the answer involves "they'd figure it out," that's not a plan.

[Learn how a Digital Directive works →]


Sources



Take Control of Your Digital Legacy

Your passwords, crypto, cloud accounts, and digital subscriptions don't disappear when you do — but without a plan, your family can't access them either.

Start your Digital Directive with NYLK →


Take Control of Your Digital Legacy

Your passwords, crypto, cloud accounts, and digital subscriptions don't disappear when you do — but without a plan, your family can't access them either.

Start your Digital Directive with NYLK →

While it's on your mind

Reading about it is step one.

A Digital Directive turns good intentions into something your family can actually use — set up once, kept current, released only when it's time.