For years, password managers have marketed themselves on a bedrock promise: your vault is encrypted end-to-end, and even the company storing your most sensitive credentials cannot peer inside. It’s a pledge known in cryptographic circles as “zero-knowledge architecture,” and it has become the gold standard selling point for an industry entrusted with the digital keys to billions of lives. But a growing body of research suggests that promise is, in many cases, more aspirational than absolute — and in some instances, flatly misleading.
A detailed investigation published by Ars Technica has brought renewed scrutiny to the security architectures of leading password managers, revealing that the “zero-knowledge” label obscures significant variations in how — and how completely — user data is actually protected. The findings have rattled security professionals and reignited a long-simmering debate about transparency, trust, and the technical realities of cloud-based credential storage.
What “Zero-Knowledge” Is Supposed to Mean — and Where It Falls Short
The concept is elegant in theory. When a password manager claims zero-knowledge architecture, it means the company’s servers store only encrypted blobs of data that are indecipherable without the user’s master password. The encryption and decryption happen locally, on the user’s device. The provider never has access to the plaintext contents of the vault — not the passwords, not the URLs, not the notes. Even if served with a subpoena or breached by hackers, the company could hand over nothing of value.
But as the Ars Technica report makes clear, the implementation details tell a far more complicated story. Not all fields in a password vault are necessarily encrypted. Metadata — including URLs, the names of stored entries, and even organizational folder structures — may be stored in plaintext or with server-side encryption that the provider controls. This means that while a company may not be able to see your actual passwords, it can potentially see which websites you visit, which services you use, and how you organize your digital life. For intelligence agencies, advertisers, or attackers who breach the provider’s infrastructure, that metadata alone can be extraordinarily revealing.
The Metadata Problem: When What Surrounds Your Secrets Is Itself a Secret
The distinction between encrypting vault contents and encrypting vault metadata is not academic. Security researchers have long warned that metadata can be as sensitive as the data it describes. Knowing that a user stores credentials for an HIV clinic portal, a bankruptcy attorney’s client login, or a whistleblower platform tells a story even without the password itself. The Ars Technica investigation highlighted that some of the most widely used password managers leave precisely this kind of information exposed.
LastPass, which suffered a catastrophic breach in 2022 that exposed encrypted vaults along with unencrypted URL metadata, has become the cautionary tale most frequently cited in this discussion. At the time of the breach, the company acknowledged that while master passwords and vault contents remained encrypted, website URLs associated with stored credentials were not. Security experts argued this was a fundamental design failure, not merely an inconvenience. The incident demonstrated in stark, real-world terms that a “zero-knowledge” claim can coexist with meaningful data exposure.
A Spectrum of Protection, Not a Binary Guarantee
Industry insiders have increasingly pushed for more nuanced language around what password managers actually protect. The reality, as detailed by researchers quoted in the Ars Technica piece, is that zero-knowledge exists on a spectrum. Some providers encrypt virtually everything client-side, including URLs, notes, and metadata. Others encrypt only the password fields themselves, leaving the surrounding context in a form the provider — or an attacker — can read.
1Password, for example, has historically been praised by security auditors for its more comprehensive approach to client-side encryption, wrapping not just passwords but also associated metadata in layers of encryption that the company cannot access. Bitwarden, the popular open-source alternative, has also moved toward encrypting a broader set of vault fields. But even among the more diligent providers, edge cases remain. Browser extensions, autofill mechanisms, and cloud sync features all introduce potential vectors where data may be momentarily exposed or transmitted in ways that complicate the zero-knowledge promise.
The Trust Architecture Behind the Technology
At the heart of the debate is a question that transcends any single product: how much trust should users place in a company’s self-reported security architecture? Independent security audits help, but they are snapshots in time. A provider could pass an audit and subsequently introduce a software update that weakens encryption or expands the scope of unencrypted metadata. Without continuous, transparent, and independently verifiable assurance, the zero-knowledge claim ultimately rests on the provider’s word.
This is particularly concerning given the business pressures facing password management companies. Many operate on freemium models, where the incentive to collect and analyze user behavior data — even in anonymized or aggregated form — can conflict with the purest interpretation of zero-knowledge principles. As the Ars Technica report notes, marketing language around zero-knowledge has become so ubiquitous that it risks losing all meaning, functioning more as a branding exercise than a rigorous technical commitment.
Regulatory and Industry Pressure Is Building
The growing awareness of these gaps has not gone unnoticed by regulators. The European Union’s evolving data protection framework under GDPR has already prompted questions about whether password managers that store unencrypted metadata are fully compliant with data minimization principles. In the United States, the National Institute of Standards and Technology (NIST) has been updating its digital identity guidelines, and security professionals have urged the agency to establish clearer benchmarks for what constitutes genuine zero-knowledge architecture in credential management tools.
Industry groups, too, are beginning to respond. The FIDO Alliance, best known for its work on passwordless authentication standards, has been exploring how password managers interact with passkey technology — and whether the transition to passkeys could render some of these encryption debates moot. If credentials are replaced by cryptographic key pairs that never leave the device, the need to trust a cloud provider with any form of vault data diminishes significantly. But passkey adoption remains uneven, and password managers will continue to play a central role in credential management for years to come.
What Sophisticated Users and Enterprises Should Demand
For enterprise security teams and technically sophisticated individuals, the takeaway is not to abandon password managers — they remain vastly superior to the alternative of reused or weak passwords — but to demand specificity. Which fields are encrypted client-side? Which are encrypted server-side with keys the provider controls? Which are stored in plaintext? Is the encryption architecture documented publicly and subject to independent audit? These are the questions that separate genuine zero-knowledge implementations from marketing copy.
Organizations evaluating password managers for enterprise deployment should insist on detailed technical documentation of the encryption architecture, including how metadata is handled. They should look for providers that submit to regular third-party security audits and publish the results. And they should be skeptical of any vendor that uses “zero-knowledge” as a blanket assurance without specifying exactly what data falls under that umbrella.
The Road Ahead for Credential Security
The password manager industry sits at an inflection point. The combination of high-profile breaches, increased regulatory scrutiny, and a more technically literate user base is forcing providers to move beyond vague assurances. The companies that thrive will be those that treat zero-knowledge not as a marketing checkbox but as an engineering discipline — one that demands continuous improvement, radical transparency, and a willingness to encrypt everything, not just the data that’s easiest to protect.
As the Ars Technica investigation makes plain, the promise that a password manager “can’t see your vault” is only as strong as the weakest link in its encryption chain. For an industry built on trust, that gap between promise and practice is one it can no longer afford to ignore.