Which password managers have been breached, and which are independently audited? (2026)

A password manager is the one app where a breach is most frightening, so track record matters as much as features. The defining event is the 2022 LastPass breach, in which attackers obtained backups of customer vaults. Because the vaults were encrypted, users with a strong, unique master password were largely protected, but the slow and incomplete disclosure did lasting damage, and the product still carries it. The lesson is not "avoid password managers"; you are still far safer with one than reusing passwords. It is that how a company behaves after an incident is part of what you buy.

Two signals separate verifiable security from marketing. Open source means anyone can inspect the code for flaws: Bitwarden, Proton Pass, and KeePass are open source, and Bitwarden and Proton Pass are also independently audited on a regular basis. Closed source is not unsafe, but it puts the burden on repeated third-party audits: 1Password and Keeper publish these, and 1Password adds a second secret key on top of your master password as structural protection. If a manager is neither open source nor regularly audited, you are trusting a promise you cannot check.

One practical trap when comparing free plans is the device limit, where "free" quietly becomes "paid": Bitwarden Free: unlimited passwords on all your devices, the genuinely complete free plan. Proton Pass Free: unlimited devices, plus 10 email aliases. NordPass Free: one device logged in at a time. LastPass Free: one device type only (mobile or desktop, not both). Dashlane: no free plan, and existing free accounts are removed in September 2026. Apple Passwords and Google Password Manager are free and fine inside their own ecosystems, but stop working well once you mix Apple, Windows, and Android. For most people the honest recommendation is Bitwarden: open source, audited, and free across everything.