What Is a Zero-Knowledge Password Manager?
Most password managers can read your passwords. Zero-knowledge ones cannot — by design. Here's what zero-knowledge actually means, how to verify it, and why it matters for crypto holders.
The term 'zero-knowledge' is widely misused in security marketing. A true zero-knowledge system is one where the service provider mathematically cannot access your plaintext data — not one where they promise not to.
What zero-knowledge actually means
In cryptography, zero-knowledge means the server has zero knowledge of the plaintext. Your data is encrypted on your device, with a key derived from your master password, before it is ever transmitted. The server stores only ciphertext. Even with full access to the server's database, an attacker cannot read your passwords.
How to verify a claim of zero-knowledge
- →The encryption must happen client-side (in your browser or app), not server-side.
- →The key derivation must use your password — meaning the server never receives your password or the derived key.
- →The source code should be auditable — either open-source or independently audited with published results.
- →The server should be technically incapable of decryption, not just policy-prohibited from it.
The difference between zero-knowledge and end-to-end encrypted
End-to-end encrypted means data is encrypted in transit between sender and recipient. Zero-knowledge means the service provider itself cannot read the data at rest. A system can be end-to-end encrypted but not zero-knowledge if the provider holds decryption keys.
Why it matters for crypto holders
Seed phrases stored in non-zero-knowledge password managers are exposed in every breach of that service. LastPass's 2022 breach exposed encrypted vaults — which were subsequently cracked because the encryption was weak and key derivation was inadequate. Zero-knowledge architecture with strong key derivation (PBKDF2 with 310,000 iterations, or Argon2id) makes brute-force attacks computationally infeasible.
The inheritance dimension
Zero-knowledge architecture creates an inheritance problem: if the server cannot decrypt your vault, how does your heir get access after you die? The answer is cryptographic key splitting — your heir holds a shard of the decryption key, delivered only when your dead man's switch triggers. Zero-knowledge and inheritance are compatible, but require deliberate design.
Protect your crypto legacy
VaultPass is a zero-knowledge inheritance protocol. Your seed phrases are encrypted in your browser — we never see them.