The Password Manager Pecking Order: Who’s Safe and Who’s Sorry?
IT Pro Expert is extremely security focused and we don’t recommend products lightly. Since the launch of Proton Pass we have recommended that clients switch to this solution for various reasons and now we have evidence to show why we made this critical decision last year.
18th Feb 2026
For years, security experts have chanted the same mantra: “Use a password manager!” It’s still good advice—certainly better than reusing the same password for everything or keeping a sticky note on your monitor. But a recent, eye-opening study has revealed that not all password managers are created equal. Some of the biggest names in the business have been found to have alarming security holes.
Based on recent independent security research, including a significant study by researchers at ETH Zurich, here is a no-nonsense ranking of popular password managers, from the most vulnerable to the most secure.
The “Red Zone”: Highly Vulnerable to Server-Side Attacks
These managers were at the center of the recent security storm. Researchers found that a compromised or malicious server could exploit flaws in their design to potentially recover your passwords.
1. Bitwarden (Cloud Version)
- Vulnerability Status: 🔴 High
- The Risks: In the ETH Zurich study, Bitwarden was found to have the highest number of distinct attack vectors—12 in total. The core issue lies in how it handles cryptographic keys during processes like sharing passwords or inviting new users to a vault. A sophisticated attacker controlling the server could manipulate these “key exchanges,” tricking your app into sending data that the attacker could then decrypt. This means a breacher on their server could potentially gain access to your vault’s contents.
2. LastPass & Dashlane
- Vulnerability Status: 🔴 High
- The Risks: These two industry giants were also flagged with significant vulnerabilities—7 for LastPass and 6 for Dashlane. Like Bitwarden, their weaknesses are rooted in the protocols used for key exchange and account recovery. The “zero-knowledge” promise—that not even the company can see your data—was found to be breakable in practice under specific attack scenarios. If a malicious actor gained control of their servers, they could potentially perform a “key swap” attack to decrypt user data without knowing the master password.
The Takeaway for Red Zone Users: While a direct hack of these companies’ servers is required to exploit these flaws, the possibility exists. If you use one of these, ensure you have a shockingly strong, unique master password and 2FA enabled non-negotiably. Consider migrating to a more secure option.
The “Yellow Zone”: Significantly Safer by Design
This category includes a manager that was tested in the same study but fared much better due to a superior security architecture.
3. 1Password
- Vulnerability Status: 🟡 Medium / Low
- Why It’s Safer: The ETH Zurich researchers found far fewer exploitable issues with 1Password. Its saving grace is a feature called the “Secret Key.” This is a unique, long code generated locally on your device when you first sign up. It’s combined with your master password to encrypt your data, and crucial, it is never sent to 1Password’s servers.
- The Advantage: Even if a malicious actor completely took over 1Password’s servers and tried the same “key swap” attacks that worked on the others, they would fail because they would still be missing one crucial piece of the puzzle—your locally stored Secret Key. This single design choice makes it exponentially more resistant to remote server-side attacks.
The “Green Zone”: Top-Tier Security Choices
These options offer the highest level of protection, either through their foundational architecture or by avoiding the cloud entirely.
4. Proton Pass
- Vulnerability Status: 🟢 Very High Security and Safe
- Why It’s a Top Choice: Although too new to be included in the ETH Zurich study, Proton Pass is built with security as its primary focus. It uses an open-source, zero-knowledge architecture that can be independently verified. Crucially, it employs the Secure Remote Password (SRP) protocol, which proves to the server that you know your password without ever actually sending it across the internet. This makes it highly resistant to the types of server-man-in-the-middle attacks that plagued the “Red Zone” managers.
- Bonus: It’s based in Switzerland, benefiting from some of the world’s strictest privacy laws. Has additional PIN lock for extra security.
5. KeePass (and other Local-Only Managers)
- Vulnerability Status: 🟢 Immune to Remote Server Attacks But Requires Knowledge to Backup/Maintain Safely
- Why It’s the Safest (in one specific way): KeePass is a different beast entirely. It is a local-only password manager. Your encrypted vault file is stored directly on your computer’s hard drive, not on a company’s cloud server. There is an inconvenience factor to using KeePass as local only.
- The Advantage: Because there is no central server to hack, the “malicious server” attacks described in the recent studies are completely irrelevant. The only way to hack a KeePass vault is to gain physical or remote access to your specific computer and install a keylogger to steal your master password. For users who don’t need seamless syncing across multiple devices, this is the most secure option against remote threats.
Summary Ranking Table
| Rank | Password Manager | Vulnerability Level | Key Reason |
| 1 | KeePass (Due to Local) | 🟢 Immune | No cloud server to attack; data stays on your device. Other risks. |
| 2 | Proton Pass | 🟢 Safe | Open-source, SRP protocol prevents server-side spoofing. |
| 3 | 1Password | 🟡 Low | “Secret Key” architecture blocks most server-side exploits. |
| 4 | Dashlane | 🔴 High | Vulnerable key exchange protocols could allow decryption. |
| 5 | LastPass | 🔴 High | History of breaches + vulnerable recovery mechanisms. |
| 6 | Bitwarden (Cloud) | 🔴 High | Highest number of identified attack vectors in recent study. |
Passwords Managers are Still the Best Solution but What About Browsers?
Using any password manager is still statistically safer than using weak or repeated passwords. However, if you are currently using one of the managers in the “Red Zone,” you are accepting a higher level of risk.
For the best balance of convenience and top-tier security, moving to a service with a more robust architecture like 1Password or Proton Pass is a highly recommended upgrade. For the ultimate in control and isolation from remote threats, a local-only solution like KeePass remains the gold standard.
Saving passwords in your browser (like Chrome, Edge, or Safari) is the digital equivalent of keeping your house key under the doormat. It is convenient, but it is the first place a burglar looks.
Here is the technical explanation of why browser-based password storage is fundamentally less secure than a dedicated password manager.
1. The “Unlocked Vault” Problem (OS-Tied Encryption)
Dedicated password managers (like 1Password or Proton Pass) encrypt your data with a Master Password that only you know. If you don’t type that password, the data is just scrambled gibberish.
Browsers, however, typically rely on your Operating System (OS) login to protect your passwords.
- The Flaw: On Windows, for example, Chrome uses a system called “DPAPI” (Data Protection API) to encrypt your passwords. The key to decrypt them is tied to your Windows user account.
- The Risk: Any program running on your computer as “you” (including malware) can ask Windows to decrypt those passwords, and Windows will comply because it “trusts” the request comes from your logged-in user account. The malware doesn’t need to know a master password; it just needs to be running on your PC.
2. The #1 Target for “Info-Stealer” Malware
Because browser password storage locations are standardized and predictable (e.g., specific folders in %AppData%), they are the primary target for a specific class of malware called Info Stealers (like RedLine or Raccoon Stealer).
- How it works: You accidentally download a malicious file (maybe a fake game mod or a PDF). The malware runs silently in the background, instantly locates the browser’s database file, decrypts it using the OS vulnerability mentioned above, and uploads all your saved passwords to a hacker’s server.
- Speed: This process takes milliseconds. By the time you realize you have a virus, your passwords are already sold on the dark web.
3. The “Coffee Shop” Attack (Physical Access)
If you leave your computer unlocked for even a minute (e.g., to grab a coffee or use the restroom), anyone can open your browser settings.
- The Risk: In most browsers, navigating to
Settings > Passwordsallows anyone to view your passwords in plain text. While some browsers now ask for your computer PIN to “reveal” the password, tech-savvy snoops can often bypass this or simply use the “Auto-fill” feature to log themselves into your email or bank account instantly.
4. Lack of “Zero Knowledge” Architecture
Most standalone password managers use Zero Knowledge encryption, meaning the company (e.g., 1Password) technically cannot see your passwords even if they wanted to.
- Browser Sync: When you sync browser passwords (e.g., via your Google Account), you are trusting that tech giant with the keys. If your Google account itself is compromised, the attacker instantly gains access to every other site you’ve saved in Chrome. You have created a “Single Point of Failure.”
5. Weak Protection Against Session Hijacking
Browsers are designed for convenience, not distinct security boundaries.
- If a hacker steals your browser’s “session cookies” (which keep you logged in), they can often bypass 2FA. Dedicated password managers are isolated apps; compromising your browser doesn’t automatically compromise your vault app, provided the vault is locked.
Summary Comparison
| Feature | Dedicated Password Manager | Web Browser Storage |
| Encryption Key | A unique Master Password only you know. | Tied to your Windows/Mac user login. |
| Malware Resistance | High. Requires the Master Password to decrypt data. | Low. Malware can easily decrypt data if running on your PC. |
| Physical Security | Auto-locks after inactivity. | Often stays unlocked as long as the browser is open. |
| Portability | Works on any browser/device. | Locks you into one ecosystem (e.g., Chrome only). |
Recommendation
Treat browser saving as a “convenience cache” for low-risk sites at best, but ideally, disable it entirely.
Overall we recommend using Proton Pass, set it up with a security token for physical security, add PIN protection and aim to have as many logins setup with modern PassKeys. Just keep your recovery phrase printed out in two separate safe locations for that extra peace of mind.
* TIP: Don’t add PassKeys for authentication on a website if you are still allowing an alternative less secure method to log in, this defeats the purpose of having a PassKey and is only a marginal improvement. You email account should have the maximum security possible as it use be used to reset any other password.
