Affiliate links present. Disclosure
Password Managers
What zero-knowledge means in a password manager — and what it doesn't
Zero-knowledge is the most frequently cited security property in password manager marketing. Every provider in this comparison claims it. The claim means that encryption and decryption happen on your device — your master password is never transmitted to the company's servers, and the company cannot decrypt your vault even if legally compelled. This is meaningfully true for all six providers covered here. It is also not the complete picture.
Zero-knowledge is a technical architecture, not a total privacy guarantee. It protects the content of your credentials. It says nothing about the metadata that surrounds them — website URLs, IP addresses, access logs, and account information. Understanding the gap between what zero-knowledge covers and what it doesn't is more useful than treating it as a binary property.
Quick answer
You want zero-knowledge that also covers URL metadata
Proton Pass — extends zero-knowledge to URL fields, titles, and usernames, not just passwords
You want verifiable zero-knowledge via open source
Bitwarden — full open-source stack; zero-knowledge claim is independently verifiable by reading the code
When it matters
Zero-knowledge covers: your passwords, secure notes, and any other content stored in credential fields. These are encrypted on your device before upload. The provider's servers hold encrypted blobs. Under legal compulsion, the provider can produce only those encrypted blobs — useless without your master password.
Zero-knowledge does not cover: the list of websites your credentials belong to (unless the provider encrypts URL metadata), your IP address and device fingerprint at login, the timing and frequency of your vault access, billing information, and the email address associated with your account.
- Standard zero-knowledge (all 6 providers) — passwords encrypted; URL metadata stored in plaintext
- Extended zero-knowledge (Proton Pass only) — passwords AND URL metadata encrypted; all fields protected
- Self-hosted zero-knowledge (Bitwarden) — full zero-knowledge with the option to remove the provider from the trust chain entirely
When it fails
- Compromised device — if malware is running on your device when you unlock your vault, it can capture credentials regardless of zero-knowledge server architecture
- Weak master password — zero-knowledge protects vault contents from the provider; it doesn't protect against offline brute-force attacks on stolen vault data if your master password is weak
- Metadata exposure — the 2022 LastPass breach demonstrated this concretely: encrypted vault data was taken alongside unencrypted URL metadata. Zero-knowledge protected the passwords; it didn't protect the map of the user's digital life
- Recovery mechanisms — some providers' account recovery options (SMS recovery, biometric recovery) may weaken zero-knowledge guarantees by providing alternative paths into the vault
How providers fit
Bitwarden — standard zero-knowledge, verifiable via open source. The full stack is published on GitHub. Argon2id available as KDF option. Self-hosting removes the cloud provider from the chain.
Proton Pass — extended zero-knowledge that encrypts URL metadata alongside credentials. The only provider in this comparison where a server-side breach produces no readable site list. Clients are open source.
Dashlane — standard zero-knowledge with Confidential SSO, which maintains zero-knowledge architecture through SSO logins — a technical achievement that other providers don't match for enterprise SSO use cases.
Bottom line
Zero-knowledge is a necessary property for a trustworthy password manager — all providers in this comparison implement it for credential content. The differentiation is in what else gets protected. Proton Pass for extended zero-knowledge covering metadata. Bitwarden for verifiable zero-knowledge via open source. The presence of zero-knowledge in marketing doesn't mean all implementations are equivalent.
Related
All password managers
© 2026 Softplorer