I tend to avoid any hosted password manager, like LastPass, Bitwarden, and 1Password. All of these password managers share the feature that you must enter your “master password” on a website or an application hosted on a web URL.

It is absolutely trivial for any website to be transparently updated to capture and store your “master password” or other credentials. A simple programmer error, failure in a CI/CD pipeline, or credential failure at the password manager company can lead to a full compromise of the hosted stack with relative ease. Also, because these companies manage credentials for all of their customers, they are prime targets for hacking.

On the other hand, it is also trivial for certificates to be “accidentally” issued for websites from unscrupulous certificate authorities, and many enterprise networks require explicitly trusting obscure CAs that would allow them to sign or intercept all traffic.

Both of these factors combine to lead to one thing: a hosted password manager is a security liability I don't want to take on.

It is unlikely that any of these password managers will experience a hack. But not really.

Owing to this, I only use and suggest password managers that store data entirely in a way that you control, or at the very least, do not regularly require entering a master password on a website. These password managers include Apple's password manager, KeePassXC, Password Store, self-hosted Bitwarden, and Dashlane¹⁾.

In Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers by Scarlata et al., security research identified several distinct attacks on cloud-based password managers outside of my criticism, which involve server compromise – 12 from Bitwarden, 7 from LastPass, and 6 against Dashlane (which, as of October 2025, does not have my main criticism). Note that this paper explicitly excludes the weakness I focus on: “Before going further, we note that there is a trivial attack against end-to-end encrypted applications that we wish to take out of consideration from the outset. Namely, a user can be supplied with a malicious client which, for example, simply returns the user’s master password to the server in the clear. Such an attack would be detectable through code audits and – though possible via an obfuscated functionality – would be very risky for a vendor to conduct”. My emphasis, however, is the fact that with a hosted website, vendor negligence and network interception factors remain a clear risk.