"Zero-knowledge" is the most important term in password security—and the most misused. Let's clarify what it actually means and which password managers truly qualify.
What is zero-knowledge encryption?
Zero-knowledge means the service provider cannot access your data, even if they want to.
How it works:
- Your master password is used to generate an encryption key
- This key encrypts your password vault on your device
- Only encrypted data is sent to the server
- The server never sees your master password or encryption key
- Without the key, the encrypted data is useless
The result: Even if the company is hacked, subpoenaed, or has a rogue employee, your passwords remain encrypted. Only you can decrypt them.
Zero-knowledge vs. regular encryption
Many services encrypt your data but hold the keys themselves. This is not zero-knowledge.
| Security Model | Who Holds the Key | Can Provider Access Data? |
|---|---|---|
| No encryption | N/A | Yes, fully |
| Server-side encryption | The provider | Yes, anytime |
| Client-side encryption (non-ZK) | The provider has a copy | Yes, with effort |
| Zero-knowledge | Only you | No, never |
Example: Gmail encrypts your emails at rest, but Google holds the encryption keys. They can read your emails (and do, for advertising). This is not zero-knowledge.
Which password managers are actually zero-knowledge?
We analyzed the security architecture of major password managers:
Bitwarden
Verdict: True zero-knowledge
Bitwarden encrypts your vault with your master password before it ever leaves your device. Their servers only store encrypted blobs. Even Bitwarden employees cannot access your passwords.
Proof: Bitwarden is open source. You can verify their encryption implementation yourself.
Trade-off: If you forget your master password, Bitwarden cannot recover it. Your vault is permanently inaccessible.
1Password
Verdict: True zero-knowledge
1Password uses a dual-key system: your master password + a secret key. Both are required to decrypt your vault. 1Password never has access to either.
Added security: Even if someone steals your encrypted vault, they need both keys to decrypt it. Brute-forcing becomes computationally infeasible.
Trade-off: Same as Bitwarden—lost credentials mean lost vault.
LastPass
Verdict: Technically zero-knowledge, but compromised trust
LastPass uses client-side encryption with your master password. In theory, they cannot access your passwords.
The problem: The 2022 LastPass breach exposed encrypted vaults. While LastPass couldn't decrypt them, attackers now have unlimited time to brute-force weak master passwords. If your master password was under 12 characters, your vault is likely compromised.
Recommendation: If you used LastPass before 2023, change all passwords regardless of what LastPass claims.
Google Password Manager
Verdict: NOT zero-knowledge
This is where many users are surprised. From Google's own documentation:
"Passwords are stored encrypted with a key unique to your Google Account."
Translation: Google controls the encryption keys. They can decrypt your passwords if needed (though they claim they don't).
Implications:
- A Google employee with sufficient access could view your passwords
- A government subpoena could compel Google to decrypt your vault
- A Google breach could expose decrypted passwords (not just encrypted blobs)
If you're using Google Password Manager, consider migrating. See our complete migration guide.
Apple iCloud Keychain
Verdict: Partially zero-knowledge
Apple's implementation is nuanced:
- Standard mode: Apple can access your keychain if needed for account recovery
- Advanced Data Protection (ADP): True zero-knowledge, but you must enable it manually
Recommendation: Enable Advanced Data Protection in iOS/macOS settings. Without it, iCloud Keychain is not fully zero-knowledge.
Dashlane
Verdict: True zero-knowledge
Dashlane encrypts locally with AES-256 using your master password. They cannot access your vault.
Trade-off: More expensive than alternatives ($4.99/month) with a smaller feature set.
The master password problem
Zero-knowledge is only as strong as your master password. If your master password is weak, attackers with your encrypted vault can brute-force it.
Password strength vs. brute-force time:
| Password Type | Example | Brute-Force Time |
|---|---|---|
| 6 characters | abc123 |
Seconds |
| 8 characters mixed | Summer1! |
Hours |
| 12 characters mixed | S3cur3P@ss! |
Months |
| 16+ random chars | kX9#mP2$vL7@qW4! |
Centuries |
| 4-word passphrase | correct-horse-battery-staple |
Centuries |
Recommendation: Use a 4-6 word passphrase or 16+ random characters for your master password.
What zero-knowledge doesn't protect
Even with perfect zero-knowledge encryption, you're still vulnerable to:
Device compromise
If malware is on your device, it can capture your master password or read your decrypted vault. Zero-knowledge only protects data in transit and at rest on servers.
Phishing
If you enter your master password on a fake site, attackers have your key. Zero-knowledge doesn't help.
Weak master passwords
If your master password is password123, the encryption is worthless. Attackers will crack it quickly.
Shoulder surfing
Someone watching you type your master password can steal it. Physical security matters.
The sites themselves
Zero-knowledge protects your vault, not the websites you log into. If Amazon is breached, your Amazon password is exposed regardless of how secure your password manager is.
Our recommendation: Bitwarden + Dosel
For most users, we recommend:
- Bitwarden for password storage (free, open source, true zero-knowledge)
- Dosel for password automation (100% local execution)
Why Bitwarden:
- Truly zero-knowledge
- Open source (auditable)
- Free tier with unlimited passwords
- Cross-platform (unlike Apple Keychain)
Why Dosel:
- Complements any password manager
- Automates the tedious work of changing passwords
- 100% local execution (never sends passwords anywhere)
- Free tier: 5 changes/month
The workflow:
- Store passwords in Bitwarden
- When a breach occurs, export to CSV
- Import to Dosel
- Run automated password changes
- Export updated passwords back to Bitwarden
This gives you the security of zero-knowledge storage plus the efficiency of automated password rotation.
Migrating from non-zero-knowledge managers
If you're currently using Google Password Manager or another non-ZK option, migration is straightforward:
From Google Password Manager:
- Chrome Settings → Passwords → Export (CSV)
- Create Bitwarden account
- Bitwarden → Tools → Import → Chrome CSV
- Delete Google export file
Full guide: Google Password Manager Migration
From any manager:
Most managers support CSV export. Check your manager's help docs for export instructions, then import to Bitwarden.
Frequently asked questions
If a password manager is zero-knowledge, how can they offer password recovery?
Truly zero-knowledge managers cannot offer password recovery. That's the trade-off. Some offer "emergency access" features where a trusted contact can request access after a waiting period, but that's different from the company recovering your password.
Is zero-knowledge overkill for most people?
No. The difference in usability between zero-knowledge and non-ZK managers is minimal. You get significantly better security for the same experience. There's no reason not to use zero-knowledge.
What if the zero-knowledge company goes out of business?
Your data is encrypted with your key. Export your vault to CSV before they shut down, and you have all your passwords. The encryption doesn't depend on their servers existing.
Can zero-knowledge be audited?
Open-source managers (Bitwarden) can be fully audited. Closed-source managers (1Password) require trust in their claims and third-party security audits.
Is local-only (no cloud) more secure than zero-knowledge cloud?
Technically yes, but practically no. Local-only means no sync across devices, no backup if your device dies. Zero-knowledge cloud gives you sync and backup while maintaining security.
Take action
- Check your current manager: Is it truly zero-knowledge?
- If not: Migrate to Bitwarden or 1Password
- Set a strong master password: 4+ random words or 16+ characters
- Enable 2FA: On your password manager and all important accounts
- Consider automation: Dosel for efficient password rotation
Download Dosel → — 5 free automated password changes per month.
Related guides
- Google Password Manager PIN Problems & Solutions
- How to Change All Passwords After a Breach
- After a Breach: What to Do First
Questions about password manager security? Contact hello@dosel.app.