Advertising Disclosure: Some links on this site are affiliate links. We may earn a commission when you make a purchase — at no extra cost to you. read our methodology

Are Password Managers Safe in 2026?

What the 25-attack-vector study actually found, and why you should still use one

The Headline That Scared Everyone

In February 2026, The Hacker News ran a story with a number that made people nervous: researchers had found 25 password recovery attack vectors in major cloud-based password managers. TechRadar followed up by noting the vulnerabilities could potentially target over 60 million users.

That sounds terrifying. But the actual research tells a more nuanced story — one where password managers are still the right call for nearly everyone, even with these findings on the table.

Here is what the study actually found, how vendors responded, and what you should do about it.

What the Research Actually Found

The study mapped out 25 theoretical attack paths that could allow an attacker to recover or manipulate stored passwords in cloud-based password managers. These are not brute-force cracks against encryption. They are architectural weaknesses: ways an attacker with specific access (like control of a user's email account, browser session, or local machine) could interact with the password manager's recovery and sync mechanisms.

Think of it this way: the researchers did not break the vault's lock. They identified 25 scenarios where someone who already has a key to your house could reach the vault through side channels.

That distinction matters. Most of these attacks require a level of pre-existing access that, frankly, means you already have bigger problems than your password manager.

Which Password Managers Were Affected

Not all managers were equally exposed:

  • 1Password: Only vulnerable to 2 of the 25 attacks. Jacob DePriest, 1Password's CISO, stated that both were “already documented in our publicly available Security Design White Paper.” In other words, 1Password knew about these and had made deliberate architectural trade-offs.
  • LastPass: Affected by more attack vectors, though LastPass marked some findings as “informative” rather than actionable vulnerabilities. Given LastPass's 2022 breach history, this adds to a pattern that makes us cautious about recommending it as a top pick.
  • Bitwarden: Affected and actively working on fixes. Bitwarden's open-source nature means these fixes will be publicly auditable once shipped.
  • Enpass and iCloud Passwords: Also affected. Both are working on patches according to Socket, the supply chain security firm that independently reviewed the research.
  • Dashlane: Not specifically named in the 25-attack study. Dashlane's zero-knowledge architecture and separate encryption approach may have insulated it from these particular vectors.

The Clickjacking Threat

Separately from the 25-attack study, security researchers at Socket disclosed a different class of vulnerability in August 2025: DOM-based extension clickjacking.

Here is how it works. A malicious webpage creates an invisible overlay that tricks your password manager's browser extension into auto-filling your credentials into a form controlled by the attacker. You think you are logging into your bank. Your password manager thinks so too. But the actual form data goes somewhere else entirely.

This affects browser extensions specifically — not the standalone apps or mobile versions. The affected products include Bitwarden, Enpass, and iCloud Passwords, all of which confirmed they are building fixes. 1Password and LastPass acknowledged the research but classified it as informational.

The practical defense right now: disable auto-fill on page load. Require a click or keyboard shortcut to fill credentials. Most password managers offer this setting. Use it.

How Password Managers Responded

The vendor responses tell you a lot about who takes security seriously:

  • 1Password: Acknowledged the findings transparently, pointed to existing documentation, and confirmed their security model accounts for these vectors. This is the response you want to see.
  • Bitwarden: Actively developing patches. Being open-source, the community can verify these fixes. Good faith response.
  • Enpass & iCloud Passwords: Confirmed they are working on fixes for the clickjacking issue specifically.
  • LastPass: Marked findings as “informative.” Given their breach history, this response feels less reassuring.

What Makes a Password Manager Secure in 2026

After reviewing this research, here is what we look for when evaluating password manager security:

  • Zero-knowledge architecture: The provider cannot read your vault even if forced to. Dashlane and 1Password both implement this correctly.
  • AES-256 encryption: Still the gold standard. Every major password manager uses it, but implementation details matter.
  • Independent security audits: Regular third-party audits published publicly. 1Password and Bitwarden both do this.
  • Breach response history: How a company handled past incidents tells you more than marketing claims. Compare 1Password and LastPass on this metric and the difference is stark.
  • MFA support: Your vault should require a second factor. Hardware keys (YubiKey, Titan) are ideal.
  • Dark web monitoring: Dashlane offers real-time dark web alerts. This catches credential leaks from other services before attackers try them against your accounts.

Our Current Recommendations

Despite the February 2026 findings, our rankings have not changed significantly. The research highlights theoretical risks, not active exploits. And the alternatives — reusing passwords, storing them in plaintext, or relying on memory — are objectively worse.

Here is where things stand:

  • 1Password: Least affected by the study. Strongest security architecture. Our top pick for security-conscious users.
  • Dashlane: PCMag Editors' Choice (February 2026). Includes VPN, dark web monitoring, and phishing alerts. Best for users who want everything in one app.
  • Bitwarden: Best free option and best open-source option. Actively patching the identified issues. Great for technical users.
  • LastPass: Still functional, but its breach history and response patterns make us hesitant to recommend it over the alternatives above.

1Password

1Password

9.5 / 10
Try 1Password →
Dashlane

Dashlane

9.3 / 10
Try Dashlane →
Bitwarden

Bitwarden

9.0 / 10
Try Bitwarden →

Bottom line: use a password manager. The risk of not using one is orders of magnitude higher than the theoretical attack vectors this research identified. Just pick a good one, enable MFA, and disable auto-fill on page load.

For broader security, consider pairing your password manager with a VPN and antivirus software for layered protection.

Get 1Password — Our Top Pick →

Frequently Asked Questions

Were any passwords actually stolen in the 25-attack study?

No. The study identified theoretical recovery attack vectors, not active breaches. No evidence exists of these techniques being exploited in the wild as of March 2026.

Is 1Password still safe to use?

Yes. 1Password was only vulnerable to 2 of the 25 attacks, and its CISO confirmed both were already documented in their Security Design White Paper. It remains one of the strongest options available.

Should I stop using password managers?

Absolutely not. Even with these theoretical vulnerabilities, a password manager is still far safer than reusing passwords or writing them on sticky notes. The risk of not using one is much higher.

What is the clickjacking attack on password managers?

DOM-based extension clickjacking tricks your browser extension into auto-filling credentials on a malicious page that overlays a legitimate-looking form. Bitwarden, Enpass, and iCloud Passwords are working on fixes.

Which password manager is the safest right now?

1Password and Dashlane consistently rank highest for security architecture. 1Password uses dual-key encryption. Dashlane adds a built-in VPN and real-time dark web monitoring on top of AES-256 encryption.

SC
Reviewed by , Lead Technology Analyst | Our Methodology