Are password managers actually safer than no password manager?

Yes, for most threat models. Reusing passwords across sites is catastrophically dangerous — one breach becomes a credential stuffing attack across every account. A password manager lets you use unique, strong passwords everywhere. The tradeoff is concentrating all your credential eggs in one basket, but that basket is hardened with encryption that most users cannot replicate on their own.

What happened in the LastPass breach?

In 2022, LastPass disclosed that attackers stole encrypted vault data and cryptographic materials. The encrypted vaults require the master password to decrypt — but if your master password is weak, reused, or was exposed in other breaches, attackers can crack it. Users with strong, unique master passwords are likely safe. Users with weak master passwords should assume their vault is compromised and rotate all stored credentials.

Should I switch from my current password manager?

If you use LastPass, yes — the breach history and the company's handling of it are concerning. For other managers, switching costs time and carries risk of configuration errors. The better approach is: ensure your master password is strong and unique, enable the strongest two-factor authentication available, and understand what data is in your vault. Switching managers because of fear, without understanding what you are switching to, creates its own risks.

Are open-source password managers more secure?

Open-source managers like Bitwarden allow security researchers to audit the code, which is a genuine advantage. However, open-source does not automatically mean more secure — it means the security can be verified by anyone, not that it has been verified. Bitwarden's architecture is well-regarded, but the security of any manager depends on implementation quality, not just licensing model.

The Password Manager Problem: Why Your Vault Might Not Be Secure

Password managers are essential for good security hygiene, but they introduce concentrated targets. When 1Password, LastPass, or Bitwarden gets breached, the blast radius is enormous. Here is what actually happens when your password manager gets compromised.

The Password Manager Problem: Why Your Vault Might Not Be Secure Password managers have become essential infrastructure for anyone who takes online security seriously. The math is simple: using unique, strong passwords for every account prevents credential stuffing attacks, where breaches of one service become attacks on others. Without a password manager, memorizing unique strong passwords for dozens of accounts is impractical, so most people reuse — and reuse is the configuration that turns one breach into dozens. But password managers introduce a different risk: they become high-value targets. When you store all your credentials in one place, you make that place worth attacking. The question is not whether password managers are better than the alternative — they are — but what happens when the vault itself is compromised. The Concentration Problem A password manager is a single point of failure by design. You are betting that one secure location, protected by one master password and one set of authentication factors, is harder to attack than the alternative of multiple weak passwords across multiple sites. For most users, this bet is correct. The alternative — reused passwords, predictable passwords, or passwords written on sticky notes — is objectively worse. But the bet only pays off if the password manager itself remains secure. A compromised password manager exposes everything at once. The risk is asymmetric. For an attacker, investing effort to compromise one password manager potentially yields access to dozens of high-value accounts. For a user, the defense of one strong master password is simpler than maintaining dozens of unique passwords. Attackers follow incentives, and password managers are rich targets. How Password Manager Encryption Actually Works Most modern password managers encrypt your vault using a key derived from your master password through a key derivation function. When you create your master password, the manager runs it through a function like Argon2id or scrypt that transforms it into an encryption key. That key encrypts your vault locally before anything is sent to the server. The server never sees your master password or your unencrypted vault. When you authenticate to the service, you prove knowledge of the master password, not the password itself. This architecture means that even if the server is breached and encrypted vaults are stolen, the attacker still needs to crack the encryption. Cracking requires guessing the master password. Modern password managers use key derivation functions designed to be slow and memory-intensive, making brute force attacks expensive. A strong master password — long, unique, not reused anywhere — is computationally expensive to crack. The weakness is master password selection. Users who choose weak master passwords, reuse master passwords from other breaches, or use predictable patterns give attackers a fighting chance. The encrypted vault is only as strong as the master password protecting it. The LastPass Breach: A Case Study The LastPass breach disclosed in 2022 illustrated these dynamics. Attackers stole encrypted vault data and cryptographic materials from LastPass servers. The encrypted vaults require the master password to decrypt — but the breach also included vault metadata, encrypted key materials, and encrypted notes. LastPass's response was to emphasize that the encryption remained unbroken — that master passwords protected vaults. This is technically true for users with strong master passwords. But it elides the practical risk: many users have weak master passwords, and a breach of this scale gives attackers everything they need to attempt cracking at scale. Security researchers who analyzed the breach noted that the cryptographic design was sound, but that user education was lacking. Many users likely had weak master passwords that could be cracked with modern GPU-assisted attacks. The official response understated the risk to affected users. If you used LastPass, the correct response is: assume your vault may be compromised if your master password is weak or reused, and rotate credentials for any high-value accounts stored there. Use a different password manager for new credentials, with a strong unique master password. Self-Hosting: More Control, More Responsibility Bitwarden offers a self-hosted option that keeps your vault on infrastructure you control. This removes the third-party risk — your vault never touches Bitwarden's servers unless you choose their cloud offering. For security-conscious users with the technical ability to maintain infrastructure, self-hosting is attractive. The tradeoff is operational security. Bitwarden's self-hosted software must be kept updated, the server must be secured, backups must be maintained, and the network connection must be protected. A poorly maintained self-hosted Bitwarden instance could be more vulnerable than a well-maintained cloud-managed option. For most users, the cloud-managed password manager with a strong master password and good two-factor authentication is the right balance. Self-hosting makes sense for users with specific threat models — journalists, activists, or others with elevated risk profiles — who have the expertise to maintain their own infrastructure. What Makes a Master Password Strong The master password is the linchpin of the entire system. A weak master password undermines the encryption protecting every stored credential. Strong master passwords share properties: Length over complexity. A phrase of random words is more resistant to cracking than a short complex password, because length exponentially increases the search space. "correct horse battery staple" type phrases outperform "@B4k!x2qZ" style passwords against modern cracking techniques. Uniqueness. Your master password must never appear in any breach database. Check your master password against services like Have I Been Pwned before using it. If the password exists in any breach, attackers have it in their cracking dictionaries. Memorability or backup. A master password you cannot recover is as bad as no password manager. Write it down and store it physically in a secure location — a password manager is useless if you lock yourself out. Two-factor authentication. The master password alone should not be sufficient to access the vault. Enable hardware key or authenticator-based two-factor authentication for your password manager account. The password manager problem is not that password managers are bad — they are essential tools. The problem is that users must understand what they are trusting and why. A password manager is only as strong as its weakest component, and for most users, that component is the master password they choose.