I tend to avoid any hosted password manager, like LastPass, Bitwarden, and 1Password. All of these password managers share the feature that you must enter your “master password” on a website or an application hosted on a web URL.

It is absolutely trivial for any website to be transparently updated to capture and store your “master password” or other credentials. A simple programmer error, failure in a CI/CD pipeline, or credential failure at the password manager company can lead to a full compromise of the hosted stack with relative ease. Also, because these companies manage credentials for all of their customers, they are prime targets for hacking.

On the other hand, it is also trivial for certificates to be “accidentally” issued for websites from unscrupulous certificate authorities, and many enterprise networks require explicitly trusting obscure CAs that would allow them to sign or intercept all traffic.

Both of these factors combine to lead to one thing: a hosted password manager is a security liability I don't want to take on.

It is unlikely that any of these password managers will experience a hack. But not really.

Owing to this, I only use and suggest password managers that store data entirely in a way that you control, or at the very least, do not regularly require entering a master password on a website. These password managers include Apple's password manager, KeePassXC, Password Store, self-hosted Bitwarden, and Dashlane¹⁾.