The LastPass Warning
In 2022, LastPass was breached. Hackers stole encrypted password vaults for 25+ million users. Since then, over $35 million in cryptocurrency has been stolen from LastPass users whose vaults were cracked,and the thefts continue into 2026. [1]
As of March 2025, federal prosecutors linked a $150 million crypto heist to the LastPass breach. The FBI and Secret Service confirmed the connection. [2]
Your password manager choice matters. Here's how they compare.
Quick Comparison
| Feature | Bitwarden | 1Password | LastPass | Dashlane |
|---|---|---|---|---|
| Price (Individual) | Free / $10/year | $36/year | $36/year | $60/year |
| Open Source | Yes (full) | No | No | Partial (mobile only) |
| Security Breaches | None known | None known | Multiple (2022 major) | None known |
| Self-Hosting | Yes | No | No | No |
| Free Tier | Unlimited passwords | 14-day trial only | 1 device type | 25 passwords max |
| Encryption | AES-256 | AES-256 + Secret Key | AES-256 | AES-256 |
| Our Rating | Recommended | Recommended | Avoid | Acceptable |
Why LastPass Is No Longer Recommended
LastPass used to be the default recommendation. Not anymore.
The 2022 Breach Timeline
- August 2022: Hackers access LastPass source code
- November 2022: LastPass discloses second breach,vaults stolen
- February 2023: Reveals a DevOps engineer's home computer was compromised via vulnerable third-party software
- December 2022 onwards: Crypto thefts targeting LastPass users begin
The Ongoing Damage
The breach wasn't just data exposure,it was vault theft. [3]
- 25+ million users had encrypted vaults stolen
- $35+ million in cryptocurrency stolen from users since breach
- $150 million heist in January 2024 linked to breach by FBI [2]
- Thefts continued through December 2024 [1]
The threat actors are cracking stolen vaults to access cryptocurrency wallet seeds and private keys. Once cracked, funds are drained within minutes.
If You Still Use LastPass
- Export your data and migrate to another manager immediately
- Change ALL passwords stored in LastPass
- Move cryptocurrency to new wallets with fresh seed phrases
- Enable 2FA everywhere the compromised credentials were used
- Delete your LastPass account after migration
Bitwarden: The Open Source Choice
Why We Recommend It
- Fully open source: All code publicly auditable on GitHub
- No breaches: Clean security record
- Best free tier: Unlimited passwords, unlimited devices, free forever
- Self-hosting option: Run your own server for maximum control
- Regular audits: Cure53 and other third-party security testing
- Affordable premium: $10/year adds advanced 2FA and file storage
Security Architecture
- AES-256-CBC encryption
- PBKDF2 SHA-256 key derivation (100,001 iterations minimum)
- Zero-knowledge: Bitwarden can't see your passwords
- Salted hashing: Additional protection layer
- End-to-end encryption: Data encrypted before leaving device
Limitations
- Interface less polished than 1Password
- No Secret Key for additional protection
- Self-hosting requires technical knowledge
Best For
- Privacy-conscious users who value open source
- Budget-conscious users
- Technical users who want self-hosting
- Anyone migrating from LastPass
Get Bitwarden: Read our full review or visit bitwarden.com
1Password: The Premium Choice
Why We Recommend It
- No breaches: Clean security record
- Secret Key: Additional encryption layer unique to 1Password
- Travel Mode: Hide sensitive vaults when crossing borders
- Polished UI: Best user experience of major managers
- 25+ security audits: Extensive third-party testing
- Passkey support: Ready for passwordless future
Security Architecture
- AES-256-GCM encryption
- Dual-key model: Master password + Secret Key required
- Zero-knowledge: 1Password can't decrypt your data
- PBKDF2 key derivation with high iteration counts
- Secret Key: 128-bit key generated locally, never sent to 1Password
The Secret Key Advantage
Even if attackers steal your encrypted vault AND crack your master password, they still can't access your data without the Secret Key stored on your devices. This is a significant security advantage over other managers.
Limitations
- Not open source (proprietary code)
- No free tier (14-day trial only)
- More expensive than Bitwarden
- Canada jurisdiction (Five Eyes member)
- No self-hosting option
Best For
- Users who prioritize UX and features
- Families (good family plan)
- Travelers (Travel Mode)
- Users willing to pay for premium experience
Get 1Password: Read our full review or visit 1password.com
Dashlane: The Middle Ground
Why It's Acceptable
- No breaches: Clean security record
- ISO 27001 certified: Business-grade security standards
- VPN included: Basic VPN with premium plans
- Dark web monitoring: Alerts for compromised credentials
- AES-256 encryption: Industry standard
Limitations
- Most expensive: $60/year for individual plan
- Weak free tier: Only 25 passwords
- Mostly proprietary: Only mobile app is open source
- No self-hosting: Cloud-only
Best For
- Users who want VPN bundled
- Business users needing compliance features
What About KeePass?
KeePass deserves mention as the fully offline option:
- Completely local: Database never leaves your device
- Open source: Fully auditable
- Free forever: No subscription
- No cloud sync: You manage backups and sync
KeePass Is Best For
- Maximum paranoia (data never touches internet)
- Technical users comfortable with manual sync
- Air-gapped systems
KeePass Drawbacks
- No built-in sync (manual or third-party required)
- Less polished interface
- Browser integration requires plugins
- Mobile apps are third-party (KeePassDX, Strongbox)
Security Features Comparison
Two-Factor Authentication
- Bitwarden: TOTP free, hardware keys with premium
- 1Password: TOTP and hardware keys included
- LastPass: TOTP free, hardware keys premium
- Dashlane: TOTP and hardware keys included
Breach Monitoring
- Bitwarden: Vault health reports (free)
- 1Password: Watchtower dashboard
- LastPass: Dark web monitoring (premium)
- Dashlane: Dark web monitoring included
Emergency Access
- Bitwarden: Yes (premium)
- 1Password: Yes (via recovery)
- LastPass: Yes
- Dashlane: Yes
Passkey Support
- Bitwarden: Yes
- 1Password: Yes
- LastPass: Yes
- Dashlane: Yes
Privacy Considerations
Jurisdiction
- Bitwarden: USA (can be mitigated with self-hosting)
- 1Password: Canada (Five Eyes)
- LastPass: USA
- Dashlane: USA/France
Data Collection
All major password managers claim zero-knowledge architecture,they can't see your passwords. However:
- Bitwarden: Minimal telemetry, can self-host for zero data sharing
- 1Password: Some service data collected, clear privacy policy
- LastPass: More extensive analytics
- Dashlane: Standard analytics
Our Recommendations
For Most People: Bitwarden
Best combination of security, privacy, and value. Free tier is genuinely excellent. Open source means verifiable security.
For Premium Features: 1Password
If you're willing to pay and want the best user experience, Travel Mode, and Secret Key protection. No security compromises.
For Maximum Security: Bitwarden (self-hosted) or KeePass
Keep your password database on your own infrastructure. Zero trust in third parties.
Avoid: LastPass
The 2022 breach and ongoing crypto thefts make it impossible to recommend. Migrate immediately if you're still using it.
How to Choose
Ask Yourself:
Budget Priority?
→ Bitwarden (free tier is best in class)
Best UX and Features?
→ 1Password (polished experience, Travel Mode)
Open Source Required?
→ Bitwarden (fully open source)
Self-Hosting Required?
→ Bitwarden or KeePass
Completely Offline?
→ KeePass
Family Sharing?
→ 1Password or Bitwarden (both have good family plans)
Setting Up Your Password Manager
Step-by-Step
- Choose your manager based on priorities above
- Create a strong master password - 16+ characters, random or passphrase
- Enable 2FA immediately - Before adding any passwords
- Save recovery codes offline - Print or write down, store securely
- Install on all devices - Browser extension + mobile app
- Import existing passwords - From browser or old manager
- Run security audit - Fix weak/reused passwords
- Delete passwords from browser - Don't store in multiple places
The Bottom Line
Any password manager is better than no password manager. But after the LastPass disaster, choice matters.
Our top picks:
- Best overall: Bitwarden - Open source, free, secure, no breaches
- Best premium: 1Password - Secret Key, Travel Mode, polished UX
- Avoid: LastPass - Ongoing fallout from 2022 breach
Don't reuse passwords. Don't store them in browsers. Don't use LastPass. Use a proper password manager and enable 2FA on the account.
References
- Krebs on Security - Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (September 2023)
- Krebs on Security - Feds Link $150M Cyberheist to 2022 LastPass Hacks (March 2025)
- LastPass Blog - Security Incident December 2022 Update
- Cyber Insider - 1Password vs Bitwarden: 8 Tests, 1 Clear Winner (2025)
- 1Password - Security Audits