"Zero-knowledge" is a real cryptographic concept. It's also one of the most misused marketing terms in consumer security.
An investigation by Ars Technica has found that the "zero-knowledge" promises made by multiple popular password managers are not always technically accurate. Some architectures allow the service provider to access vault data under certain conditions - despite marketing language that explicitly asserts they cannot see your passwords.
This matters because millions of people chose password managers specifically because of these privacy assurances. If the assurances are marketing copy dressed up as engineering guarantees, users are operating under a false assumption about their security posture.
Let me explain what zero-knowledge actually means and where the gap is.
In proper cryptographic zero-knowledge design, the service provider never receives data in a form they can read. Your passwords are encrypted on your device with a key derived from your master password before they ever leave your device. The server receives and stores encrypted ciphertext. Mathematically, even if the provider wanted to read your vault, they couldn't - they have the encrypted blob but not the key.
This is a strong and provable guarantee when implemented correctly. Several reputable password managers - notably Bitwarden, which is open-source and independently audited - implement something close to this. You can verify the implementation.
The problem emerges when "zero-knowledge" gets used as a marketing claim by products whose architecture doesn't actually deliver that property. There are several ways the guarantee can break down:
Account recovery flows. If a password manager offers recovery mechanisms that don't require your master password - say, recovery via email or phone - then some key material must exist that can decrypt your vault without your master password. That key must live somewhere the provider can access.
Browser extension behavior. Some password managers temporarily cache decrypted vault data in browser memory in ways that could be accessible if the provider controls the extension code. Closed-source extensions that aren't independently audited make it difficult to verify what's actually happening.
