Security is constantly evolving. Today, a new in-depth security report is available, continuing the Bitwarden commitment to transparency and trusted open source security. The audit, conducted by the prestigious Applied Cryptography Group at ETH Zurich, proactively tested Bitwarden core cryptography operations against the hypothetical event of a maliciously compromised server. All issues identified in the report have been addressed by the Bitwarden team and have been included in the attached cryptography report for full transparency.
Trusted open source architecture grants path for third-party security audits
Bitwarden was selected for analysis by ETH Zurich primarily due to its open source architecture, where code is available to the public on GitHub for inspection, auditing, and contribution. With this model, the world's leading academic researchers and professional minds, like the ETH Zurich Applied Cryptography Group, can stress-test Bitwarden infrastructure and code with penetration testing and security audits.
Unlike closed source solutions that keep the codebase hidden behind locked doors, this trusted open source architecture helps ensure:
Complete transparency in how the product operates
Verifiable security claims
Quick identification of potential security issues
Fast resolution of issues before they can be used by a malicious actor
Engaged developers can contribute and drive product innovation
Other password managers considered for this report were either:
Not selected due to the closed source nature of the solution
Required extensive reverse engineering effort to uncover closed source code
The unique open source approach to password management sets Bitwarden apart as a transparent and trusted solution for storing your most sensitive information and credentials.
A hypothetical scenario: Fully malicious server
When conducting penetration tests for the cryptography audit, ETH Zurich opted to use a fully malicious server threat model, “meaning that it can deviate arbitrarily from its expected behaviour.” In this scenario, the server infrastructure is hijacked and in complete control of malicious attackers.
Bitwarden has never experienced any security breach. In addition, this scenario has never occurred to any password management product, to the best of Bitwarden knowledge. While the vast majority of breaches involve stolen data and not complete server takeovers like what is represented in this report, the ETH Zurich team intentionally selected this particular edge-case threat model to test the strength of zero-knowledge encryption across popular password management products.
Bitwarden takes all potential threats seriously, and has worked cooperatively with the Applied Cryptography group to address the issues highlighted in the report.
Bitwarden Cryptography Report findings
The analysis tested twelve distinct attacks against Bitwarden zero-knowledge encryption architecture in a hypothetical scenario involving a fully malicious server. Ten issues were identified and categorized as “medium” and “low” impact, largely because they require a highly sophisticated attacker who already has control over Bitwarden server infrastructure.
All issues have been addressed by Bitwarden. Seven of which have been resolved or are in active remediation by the Bitwarden team. The remaining three issues have been accepted as intentional design decisions necessary for product functionality.
To reiterate, Bitwarden has never been breached and believes third-party security assessments like these are critical to continue providing state of the art security to individuals and organizations. Millions of users and thousands of businesses trust Bitwarden everyday to protect their sensitive information and stay secure online.
Thank you ETH Zurich for your insights and commitment to stronger password security.
Review the 2026 Bitwarden Cryptography Report.