Zero-Knowledge Architecture

Plain-English definition

Zero-knowledge architecture means the company running the password manager’s servers has no ability to read the passwords stored in your vault — even if they wanted to, even if a government compelled them to, and even if attackers broke into their servers and copied every byte of stored data.

The vault data that sits on the company’s servers is always encrypted ciphertext. The keys to decrypt it are derived from your master password, and that derivation happens on your device — never on their servers. What they receive is encrypted blobs they mathematically cannot decrypt.

How it works

The process runs in three steps every time you save or retrieve a password:

When saving a password:

1. You type a credential into the browser extension or app
2. Your device encrypts it using a key derived from your master password
3. The encrypted ciphertext is sent to the provider’s servers for storage
4. The provider stores ciphertext — they never see the plaintext password

When retrieving a password:

1. You unlock your vault with your master password
2. Your device derives the decryption key from your master password
3. The encrypted ciphertext is fetched from the server
4. Your device decrypts the ciphertext locally — the provider never sees the key or the plaintext

The key property: the decryption key is derived on your device and is never transmitted to the server. This is true for every credible password manager claiming zero-knowledge architecture — it’s verifiable via their security whitepapers and external audits.

Why it matters for the LastPass breach

The 2022 LastPass breach is the clearest real-world demonstration of why zero-knowledge architecture matters — and of its limits.

LastPass implemented zero-knowledge architecture. When attackers exfiltrated encrypted vault backups in August 2022, they received ciphertext that LastPass itself cannot decrypt. This is the architecture working as designed.

However, zero-knowledge architecture doesn’t protect you if your master password is weak. The encryption key is derived from your master password using PBKDF2. For LastPass accounts created before 2018, the default PBKDF2 iteration count was as low as 5,000 — which means a GPU cluster can test millions of common master passwords per second against the stolen ciphertext.

The lesson: zero-knowledge architecture is a necessary condition for a secure password manager, but not sufficient on its own. You also need a strong master password, high iteration counts in the key derivation function, and ideally a second factor (like 1Password’s Secret Key).

How to verify a manager has it

You shouldn’t take a manager’s word for it. Look for these three signals:

1. An external audit report that confirms zero-knowledge architecture. Cure53, NCC Group, Trail of Bits, and Insight Risk Consulting all assess this in their reviews. The report should explicitly state that the auditor verified that the provider cannot decrypt user vaults.

2. A published security whitepaper. 1Password’s security whitepaper and Bitwarden’s security documentation both explain the architecture in sufficient detail to verify the zero-knowledge property technically.

3. Open-source code (optional but stronger). Bitwarden is open-source — you can read the encryption code directly. For closed-source managers, you’re trusting the audit reports.

Managers with verified zero-knowledge architecture

Based on external audit reports we have reviewed:

What is not verified here: the absence of backdoors or implementation bugs. Zero-knowledge architecture can be correctly designed and still have implementation vulnerabilities. The audit history of a manager is your best proxy for the probability that any such bugs have been found and fixed.