ZURICH - For years, June 14 -- even if someone breaks into our servers, your passwords are safe. The data is encrypted on your device. We can't read it. Nobody can. It's what they call "zero-knowledge encryption," and it has been the central promise of a business model that now serves hundreds of millions of people worldwide.

In February, four researchers at Switzerland's ETH Zurich and the Universita della Svizzera italiana sat down and tested that promise. They found it didn't hold.

The team - Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, and Kenneth Paterson - built servers that behaved like compromised versions of the backends used by Bitwarden, LastPass, and Dashlane. Then they ran attacks. Twenty-seven of them. Twelve agai...