Why Your Password Manager's Architecture Matters More Than Its Feature List

Your password manager is arguably the most sensitive piece of software you use. It holds every credential — email accounts, banking logins, work systems, medical portals — in one encrypted vault. If that vault is compromised, everything is compromised.

Most password manager reviews compare autofill speed, UI polish, and browser extension quality. Those things affect daily convenience. But they tell you nothing about the question that actually matters: what stops the company running the server from reading your data?

The answer depends on three things most reviews skip: the encryption architecture, the business model behind the company, and the legal jurisdiction it operates under.

What "Encrypted" Actually Means for Your Passwords

Every major password manager describes itself as "encrypted." But that word covers a wide range of implementations, and the differences are consequential.

Server-side encryption vs. zero-knowledge

Server-side encryption (also called "encrypted at rest") means the company encrypts your data on their servers. The company holds the encryption keys. This protects against an outsider breaking into the server, but it does not prevent the company itself — or anyone who compromises the company — from accessing your data.

Zero-knowledge encryption (also called end-to-end encryption) means your data is encrypted on your device before it leaves. The server only ever sees encrypted blobs. The company does not hold a key that can decrypt your vault. Even if served with a court order, they cannot produce your passwords — because they structurally cannot access them.

How master password derivation works

In a zero-knowledge system, your master password is never sent to the server. Instead, the app uses a key derivation function (like Argon2 or PBKDF2) to generate an encryption key locally. Your vault is encrypted and decrypted entirely on your device. The server stores the encrypted vault and authenticates you, but cannot read the contents.

The practical difference: if a zero-knowledge password manager's servers are breached, the attacker gets encrypted data they cannot read. If a server-side encrypted system is breached and the keys are also compromised, the attacker gets everything.

The LastPass Breach: A Case Study in Why Architecture Matters

In August 2022, LastPass disclosed that an attacker had accessed their development environment. By December 2022, they revealed the full scope: the attacker had stolen copies of customer vault data — the actual encrypted vaults containing usernames, passwords, and secure notes.

This breach is instructive not because LastPass was uniquely careless, but because it demonstrated exactly how encryption architecture determines the real-world impact of a breach.

What happened

According to LastPass's own public disclosures: the attacker compromised a developer's home computer, used stolen credentials to access cloud storage, and exfiltrated backup copies of customer vaults. The encrypted vault data included website URLs stored in plaintext alongside encrypted username and password fields.

Why architecture mattered

LastPass uses zero-knowledge encryption for vault contents. So the stolen vaults were encrypted. But the strength of that encryption depended entirely on each user's master password. Vaults protected by weak or reused master passwords were vulnerable to offline brute-force cracking — and the attacker had unlimited time to try.

Security researchers subsequently reported evidence of vaults being cracked, with stolen cryptocurrency linked to LastPass vault data.

The breach also highlighted a jurisdiction point. As a US company (owned by GoTo, formerly LogMeIn), LastPass's breach response and disclosure timeline were subject to US regulatory frameworks — which have no single federal data breach notification standard comparable to the GDPR's 72-hour notification requirement.

Business Models Shape Privacy Decisions

A password manager's business model tells you something about its long-term incentives — and how likely it is that privacy will remain a priority.

Venture capital and growth pressure

1Password has raised $920 million in venture capital. VC funding isn't inherently problematic, but it creates structural pressure: investors expect returns, which means either an IPO or an acquisition. Both scenarios introduce uncertainty about future data handling practices. A company that's privacy-focused today may be acquired by a company with different priorities tomorrow.

Private equity and cost-cutting

LastPass was spun off from GoTo (formerly LogMeIn) as part of private equity transactions. Private equity ownership typically prioritizes profitability, which can mean reduced investment in security infrastructure — the kind of cost-cutting that's invisible until something goes wrong.

Subscription + privacy mission

Proton (the company behind Proton Pass) is a subscription-funded company headquartered in Switzerland. Founded by scientists who met at CERN, its business model is straightforward: charge for premium features, don't sell data. This alignment — where revenue comes from users, not from monetizing user data — creates different structural incentives than VC or PE ownership.

Open source as accountability

When a password manager's code is open source, security researchers can verify that the encryption works as advertised. This doesn't guarantee security, but it provides a layer of accountability that closed-source products lack. Among major password managers, Proton Pass, Bitwarden, and KeePassXC publish their source code. 1Password and LastPass do not.

The jurisdiction dimension

Where a company is headquartered determines which laws govern its data handling. US-based companies are subject to the CLOUD Act and FISA Section 702. Swiss companies operate under the Federal Act on Data Protection (FADP), which requires Swiss court authorization for foreign data requests. For a deeper look at how jurisdiction affects privacy, see our analysis of VPN jurisdiction — the same principles apply to password managers.

How Four Password Managers Compare on Architecture

Here's how four major password managers stack up on the structural factors that determine whether your data is actually private:

Proton Pass

Swiss jurisdiction, zero-knowledge encryption, and fully open source apps audited by Cure53. The free tier includes unlimited passwords and 10 email aliases — a feature that reduces your phishing surface by letting you use a unique email per site. Part of the broader Proton ecosystem (mail, VPN, drive, calendar), which allows a single subscription to cover multiple privacy tools.

The trade-off: it's a newer product (launched 2023) with a smaller extension ecosystem than older competitors. Team and enterprise features are still maturing.

Bitwarden

The leading open-source password manager, US-based but with a transparent codebase and multiple independent audits. Its free tier is generous and its self-hosting option gives technical users full control. Business and enterprise plans are competitively priced.

The trade-off: US headquarters means CLOUD Act exposure. Self-hosting mitigates this but requires technical setup and maintenance.

KeePassXC

A fully offline, open-source password manager. Your encrypted database lives on your device — no cloud, no servers, no company that could be compelled to hand over data. This is the strongest possible architecture for data sovereignty.

The trade-off: no cloud sync (you manage syncing yourself via Dropbox, Syncthing, etc.), no mobile app from the KeePassXC project (though compatible apps like KeePassDX exist), and no built-in sharing features.

1Password

Well-regarded for its user experience, particularly for families and teams. Uses zero-knowledge encryption and has undergone multiple independent security audits. The Watchtower feature provides useful security monitoring.

The trade-off: closed source, no free tier, VC-funded with acquisition risk, and reliant on US cloud infrastructure (AWS). Canadian headquarters offers some jurisdictional benefit over US companies, but the US infrastructure dependency limits that advantage.

LastPass

Widely used due to its early market entry and free tier. Uses zero-knowledge encryption. Has undergone independent audits.

The trade-off: the 2022 breach eroded trust significantly. Private equity ownership (GoTo) raises questions about long-term security investment. The free tier is limited to a single device type (mobile or desktop, not both). US jurisdiction means full CLOUD Act exposure.

Features That Actually Protect You

Beyond encryption architecture, some features provide genuine security benefits — and others are primarily marketing.

Features worth evaluating

Email aliases. Using a unique email address for every site means a breach at one service doesn't expose your real email to phishing attacks on other accounts. Proton Pass includes this on the free tier — most competitors charge extra or don't offer it at all.

Passkey support. Passkeys replace passwords with cryptographic key pairs, eliminating phishing risk entirely. Support is expanding across the industry, and it's worth checking whether your password manager supports them.

Two-factor authentication. Your password manager should support 2FA for its own login (hardware keys, TOTP). This is table stakes, but worth verifying.

Export capability. A good password manager makes it easy to leave. If exporting your data is difficult or restricted, that's a red flag about the company's priorities.

Features that matter less than you'd think

Dark web monitoring. Several password managers advertise scanning the dark web for your credentials. In practice, this is largely a marketing feature. Services like Have I Been Pwned provide this for free, and the alerts are reactive — they tell you after a breach, not before.

Who Should Use What

If architecture and jurisdiction are your priority: Proton Pass offers the strongest combination of zero-knowledge encryption, Swiss jurisdiction, open source code, and independent audits. The free tier is genuinely useful — unlimited passwords plus 10 email aliases.

If open source and self-hosting matter most: Bitwarden gives you the option to run your own server, with a mature codebase and regular audits. Be aware of the US jurisdiction trade-off.

If you want zero cloud dependency: KeePassXC keeps everything local. No server, no company, no jurisdiction concerns. Best for technically comfortable users willing to manage their own sync.

If you need enterprise team management: 1Password's team and family features are mature and well-designed. Understand the VC-funding and US infrastructure trade-offs, and evaluate whether they're acceptable for your use case.

If you're still on LastPass: Consider migrating. The 2022 breach, combined with private equity ownership and US jurisdiction, makes a compelling case for switching. Check our password managers category for EU alternatives.

How to Switch Password Managers

Most password managers support CSV export and import, making the switch straightforward:

1. Export your current vault (Settings → Export → CSV or encrypted format)
2. Import into your new password manager (most accept CSV directly)
3. Verify that all entries imported correctly — spot-check a few logins
4. Secure your new account with a strong, unique master password and enable 2FA

The process typically takes 15-30 minutes. Run both managers in parallel for a week to catch any entries that didn't import correctly before deactivating the old one.

Related Resources

• Proton Pass — Swiss-based, zero-knowledge password manager
• Password Managers category — All EU alternatives in this category
• Why Your VPN's Jurisdiction Matters — The same jurisdiction principles applied to VPNs

---

Have thoughts on password manager security? Reach out on Mastodon, X, or LinkedIn.