"Zero-knowledge" is a real cryptographic concept. It's also one of the most misused marketing terms in consumer security.
An investigation by Ars Technica has found that the "zero-knowledge" promises made by multiple popular password managers are not always technically accurate. Some architectures allow the service provider to access vault data under certain conditions - despite marketing language that explicitly asserts they cannot see your passwords.
This matters because millions of people chose password managers specifically because of these privacy assurances. If the assurances are marketing copy dressed up as engineering guarantees, users are operating under a false assumption about their security posture.
Let me explain what zero-knowledge actually means and where the gap is.
In proper cryptographic zero-knowledge design, the service provider never receives data in a form they can read. Your passwords are encrypted on your device with a key derived from your master password before they ever leave your device. The server receives and stores encrypted ciphertext. Mathematically, even if the provider wanted to read your vault, they couldn't - they have the encrypted blob but not the key.
This is a strong and provable guarantee when implemented correctly. Several reputable password managers - notably Bitwarden, which is open-source and independently audited - implement something close to this. You can verify the implementation.
The problem emerges when "zero-knowledge" gets used as a marketing claim by products whose architecture doesn't actually deliver that property. There are several ways the guarantee can break down:
Account recovery flows. If a password manager offers recovery mechanisms that don't require your master password - say, recovery via email or phone - then some key material must exist that can decrypt your vault without your master password. That key must live somewhere the provider can access.
Browser extension behavior. Some password managers temporarily cache decrypted vault data in browser memory in ways that could be accessible if the provider controls the extension code. Closed-source extensions that aren't independently audited make it difficult to verify what's actually happening.
Emergency access features. Products that allow you to designate a trusted contact who can access your vault after a waiting period must have an architecture that supports this. True zero-knowledge, strictly implemented, would make this impossible.
None of these are necessarily bad product decisions. Emergency access is genuinely useful. Account recovery is genuinely important for users who forget their master passwords. But they are architecturally incompatible with true zero-knowledge guarantees, and marketing them as zero-knowledge is misleading.
The practical advice for users:
Look for open-source password managers with published audit reports. Bitwarden publishes its code and its audit results. You can verify what it does. Closed-source products ask you to trust their marketing.
Understand what "zero-knowledge" means for specific features. A product can be zero-knowledge for basic password storage but not for recovery features. Read the architecture documentation, not the landing page.
Treat any password manager as a significant trust relationship. You're centralizing your most sensitive credentials with a single provider. The security model matters enormously. If you can't verify it, that's information.
