LastPass announced another security incident last month, and my inbox filled with questions from people wondering if they should switch password managers. It’s a reasonable concern—when you trust a service with literally every password you own, security becomes paramount.

But evaluating password manager security isn’t as simple as reading news headlines about breaches. You need to understand encryption architecture, how data is stored and transmitted, what happens if the company’s infrastructure is compromised, and how the provider responds to security incidents.

I’ve been researching this topic intensively, comparing the major password managers across multiple security dimensions. Here’s what I found.

Understanding the Encryption Model

All reputable password managers use end-to-end encryption, meaning your passwords are encrypted on your device before being transmitted to the service’s servers. The encryption key is derived from your master password, which the service never receives or stores.

This architecture means that even if someone compromises the service’s servers and steals the encrypted vault data, they can’t decrypt it without your master password. In theory, this makes password managers secure even if the company’s infrastructure is breached.

But implementation details matter enormously. How is the master password converted into an encryption key? What encryption algorithm is used? What key derivation function? Are there any circumstances where unencrypted data exists on the service’s servers, even temporarily?

1Password uses AES-256 encryption with a secret key in addition to your master password. This means even if someone obtains your master password, they still can’t decrypt your vault without the secret key, which is stored locally and never transmitted to 1Password’s servers. This adds a second factor of protection.

Bitwarden also uses AES-256 but relies solely on the master password for key derivation. The encryption is strong, but there’s no additional secret key component. If someone obtains your master password through phishing or keylogging, they can decrypt your vault if they also get access to the encrypted data.

Dashlane uses a similar model to Bitwarden—AES-256 encryption with PBKDF2 key derivation based on the master password. The company emphasizes that vault data never exists unencrypted on their servers, which is good, but again relies on master password security.

Key Derivation Function Strength

The key derivation function (KDF) determines how your master password is converted into an encryption key. This matters because it affects how resistant the system is to brute force attacks if someone steals encrypted vault data.

Modern password managers use either PBKDF2 or Argon2 as their KDF, with varying iteration counts. Higher iteration counts make brute forcing slower, but also increase the time needed to unlock your vault legitimately.

Bitwarden recently increased their default PBKDF2 iterations from 100,001 to 600,000, significantly improving resistance to brute force while keeping unlock times reasonable on modern devices. They also support Argon2id, which is considered more secure than PBKDF2 because it’s resistant to GPU-based cracking.

1Password uses PBKDF2-HMAC-SHA256 with 100,000 iterations for the master password component, which is solid though not exceptional. However, their secret key adds protection that makes the KDF iteration count less critical—you’d need both the master password and the secret key to attempt brute forcing.

NordPass uses Argon2 by default, which is excellent from a cryptographic strength perspective. Argon2 won the Password Hashing Competition in 2015 specifically because it’s highly resistant to both GPU and ASIC-based cracking attempts.

Third-Party Security Audits

Independent security audits matter more than vendor security claims. Any company can assert that their system is secure; having external experts examine the codebase and architecture provides actual validation.

Bitwarden publishes annual security audits from Cure53, a well-respected security firm. The reports are comprehensive, covering architecture review, penetration testing, and source code analysis. Bitwarden’s open-source nature means researchers can independently verify security claims.

1Password has undergone multiple third-party audits, including from companies like ISE and CloudEntropy. They don’t publish full reports publicly, but they do share audit results and confirm no critical vulnerabilities were found. Their transparency around the audit process is reasonable.

Dashlane has been audited by Sogeti, though the audit reports aren’t publicly available in full detail. They share summaries and confirm that critical issues identified during audits have been addressed.

The frequency and transparency of audits matter as much as their existence. Annual audits that cover new features and changes are more valuable than one-time audits from years ago that may not reflect current code.

Breach Response Track Record

How a company responds to security incidents reveals a lot about their security culture and preparedness. The LastPass breaches over the past few years provide an instructive case study.

LastPass suffered a breach in 2022 where attackers accessed source code and technical information. Then in late 2022, attackers used information from the first breach to access cloud storage containing encrypted customer vault backups. LastPass initially downplayed the severity, then gradually revealed more concerning details over several months as the investigation continued.

The delayed and incomplete disclosure damaged trust significantly. Many security professionals now recommend against using LastPass not just because of the breaches themselves, but because of how the company handled communication about them.

In contrast, when 1Password discovered in 2019 that an attacker had accessed a development environment, they disclosed it proactively, explained exactly what data was exposed (none included customer vaults), and detailed the security improvements they implemented in response. The incident was minor, but the transparency built confidence.

Bitwarden hasn’t had a major breach to date, which is positive but also means we don’t have evidence of how they’d handle one. Their open-source nature and transparent development process suggest they’d likely disclose issues promptly, but that’s speculation rather than demonstrated fact.

Data Storage and Jurisdiction

Where your encrypted vault data is stored affects legal risks and government access potential. Different jurisdictions have different laws about data retention, government access requirements, and privacy protections.

1Password is based in Canada and stores data in US and Canadian data centers. Canada has relatively strong privacy protections, though data stored in the US is subject to US government access laws under certain circumstances.

Bitwarden is based in the US but offers European Union cloud hosting for customers who want data stored under EU jurisdiction and GDPR protections. For users concerned about US government access, EU hosting provides an alternative.

Dashlane is based in the US with servers in AWS data centers in the US and EU. They comply with GDPR for EU customers and offer data residency choices.

NordPass, from the company behind NordVPN, is based in Panama, which has favorable privacy laws and no data retention requirements. However, their cloud infrastructure still uses providers like Google Cloud and Amazon AWS, so the practical implications of Panamanian jurisdiction are limited.

Zero-Knowledge Architecture Verification

All major password managers claim zero-knowledge architecture where they can’t access your unencrypted data. But verifying this claim requires examining actual implementation.

Bitwarden’s open-source code allows independent verification of their zero-knowledge claims. Security researchers can examine exactly what data the clients send to servers and confirm that only encrypted data is transmitted.

Proprietary password managers like 1Password and Dashlane require trusting their descriptions of their architecture, since the source code isn’t available for independent review. They could include backdoors or unencrypted data exfiltration that users can’t detect. To be clear, I don’t believe they do—both companies have strong reputations and would face enormous liability if backdoors were discovered—but it’s theoretically possible.

For people who want maximum assurance that zero-knowledge claims are accurate, open-source options like Bitwarden or KeePassXC provide verification that closed-source options can’t match.

The Role of an AI Agency in Password Security

Interestingly, some password managers are starting to integrate AI capabilities for security enhancement. These include anomaly detection for unusual login patterns, predictive analysis to identify compromised credentials before breaches are publicly announced, and intelligent password strength analysis that considers context beyond simple character requirements.

The security implications of AI integration are mixed. On one hand, AI can identify threats that rule-based systems would miss. On the other hand, AI systems introduce new attack surfaces and require additional data processing that could create privacy concerns.

If you’re evaluating password managers with AI features, ask how the AI processing happens. Is data processed locally on your device, or sent to servers? If sent to servers, what data is transmitted and is it encrypted? Who has access to the AI training data and model outputs?

My Current Recommendations

For most people, I recommend either Bitwarden or 1Password based on different priorities.

Bitwarden offers excellent security, open-source transparency, affordable pricing (free tier is genuinely functional), and the ability to self-host for maximum control. The interface is less polished than some competitors, but functionality is comprehensive.

1Password provides a more refined user experience, particularly for less technical users or families. The secret key addition provides strong security, and their track record over 15+ years is solid. The cost is higher than Bitwarden, but still reasonable for the value provided.

I’ve moved away from recommending LastPass until they demonstrate better security practices and transparency. The recent breaches and poor response have undermined confidence.

Dashlane remains a solid choice with good security fundamentals, though I don’t see compelling advantages over Bitwarden or 1Password that would justify recommending it over those options.

For users who want maximum control and don’t mind reduced convenience, KeePassXC provides local-only password storage with no cloud sync, eliminating server-side security concerns entirely. The trade-off is manual sync between devices and more technical setup requirements.

Whatever password manager you choose, using one is far better than reusing passwords across sites or using weak passwords you can remember. Even a less-than-perfect password manager provides enormous security improvement over common alternatives. The important thing is making the choice and actually using it consistently.