The case for using a password manager is simple: you cannot have strong, unique passwords for every account if you're relying on memory. The case against blindly trusting any password manager is equally simple: some of them have been breached. The answer isn't to avoid them — it's to use them correctly.
WHAT HAPPENED WITH LASTPASS
LastPass — once the most recommended password manager — suffered a significant breach in 2022 where attackers exfiltrated encrypted password vaults along with unencrypted metadata including website URLs. The encrypted vaults were protected only by your master password. If your master password was weak or had been used elsewhere, your vault was at risk of being decrypted.
This matters not because it means all password managers are untrustworthy, but because it illustrates the right way to think about them: a password manager is only as secure as its architecture, the strength of your master password, and whether you use multi-factor authentication.
⚠️ If you used LastPass and had a weak master password, or used that master password anywhere else, your stored passwords should be considered compromised and changed.
HOW TO EVALUATE A PASSWORD MANAGER
- Zero-knowledge architecture — The service should never have access to your unencrypted data. Encryption and decryption should happen only on your device, with your master password.
- Open source or independently audited — Can the security community examine the code? Has it been audited by a reputable third party? Closed-source products asking you to trust them without verification deserve more scrutiny.
- Strong encryption standard — AES-256 with PBKDF2, Argon2, or similar key derivation. This determines how hard it is to crack your vault if it's stolen.
- Multi-factor authentication support — Non-negotiable. Your master password alone should not be sufficient to access the vault.
- Breach history and response — How a company has handled security incidents tells you a great deal about their security culture.
PRACTICES THAT MATTER MORE THAN THE BRAND YOU PICK
Use a strong, unique master password
This is the one password you have to actually remember. Make it a long passphrase — four or more unrelated words strung together. Never use it anywhere else.
Enable multi-factor authentication on the manager itself
If someone gets your master password, MFA is the last line of defense before they have access to every account you own.
Use the password generator for every site
Let the manager generate a random 20+ character password for every account. If that site's database gets breached, it exposes exactly one password that you don't use anywhere else.
Keep an offline backup
Know how to export your vault and store an encrypted copy somewhere offline. If you lose access to the service, you're not locked out of your life.
✅ Bitwarden is currently the most defensible choice for most users — open source, independently audited, zero-knowledge architecture, free tier covers most needs. But the brand matters less than using it correctly.
Questions about your organization's password security? We cover security policy and access management for businesses throughout Santa Clarita and the San Fernando Valley. Contact us today.