Currently, the two best-reputed password managers on the market seem to be 1password and Bitwarden. Neither of them, as far as I'm aware, has yet suffered a major breach of user secrets. But, given sufficiently many determined attackers over a sufficiently long time, this state of affairs seems unlikely to last forever.
This market will resolve to whichever of 1password or Bitwarden suffers a security breach, with user secrets leaked to plaintext, first. 'User secrets' here are those stored in the password-manager-vault itself; a breach wherein, for example, customer payment information is exposed, but only that used to pay the 1password or Bitwarden companies and not the rest of that which is locked away in the password manager, won't count for the resolution of this market.
In Bitwarden's case, resolution will be based specifically on a breach of the large bitwarden.com instance or of some comparably-large instance which may exist in the future; a breach of a small self-hosted instance which might be egregiously misconfigured won't qualify. 1password, as far as I'm aware, doesn't support hosting by anyone outside of their own company, but if they add such support in the future then similar considerations will apply there as well.
Possible clarification from creator (AI generated):
A breach that only exfiltrates encrypted user data without finding a scalable way to decrypt that data will not count for resolution
Individual user attacks that require targeting each user separately (like keylogger malware) will not count as a qualifying breach
Possible clarification from creator (AI generated):
A breach similar to the LastPass incident where encrypted vaults are exposed but still require cracking individual master passwords will not count for resolution
Unencrypted metadata that was not directly supplied by users (like last-used dates) will not count for resolution
However, exfiltration of any directly user-supplied data that is stored unencrypted (such as unencrypted usernames) would count for resolution
1,000
3.00Which, if any, other zero-knowledge password managers would you consider to have been breached? E.g. LastPass had a security incident that exposed some user's vaults, but the attackers still needed to crack master passwords to decrypt the vaults. Does that count, since presumably they were eventually able to find some with weak master passwords, or not since the security breach itself didn't actually expose any user passwords?
Alternatively, how does metadata that is stored in the vault count? Some password managers used to (hopefully none of the big ones still do) store some of that metadata in plain text.
@SeekingEternity I don't know all that much about the history of password-manager-breaches prior to the LastPass one; it's only relatively recently that I particularly started following the sphere. With that said, I wouldn't count a breach resembling the LastPass one (at least as I currently understand it) as sufficient to resolve this market.
Unencrypted metadata not directly supplied by the user, as with LastPass's various leaks of last-used dates per item and so forth, isn't sufficient for market-resolution. However, exfiltration of any directly user-supplied data which is similarly unencrypted—for instance, if passwords are encrypted but usernames aren't (...I really hope none of the big password managers are doing this)—would be sufficient for market-resolution.
@Alyssa Does the formulation of this question's resolution take into account the architectures of both 1password and Bitwarden? Both of these attempt to use a zero-knowledge architecture, where there is a second key, such that the server maintainers do not themselves have access to the unencrypted data.
This means, that in the event of a server breach, and exfiltration of the user data, the exfiltrated data will still be encrypted.
Does the formulation of this question's resolution take this into account? You do stipulate "user secrets leaked to plaintext." Does this mean that two user secrets exposed would be sufficient? I'm not sure this is a rigorous and fair formulation. It should be user secrets exposed for 2 (or more) users from the same breach. For example, if there came to be a way to penetrate 1password, but this required the interception of 2nd channel information, or the breach of a user's local machine on every instance for each user, I don't think that should qualify.
@StCredZero A breach which only gets through one key, exfiltrating user data in encrypted form without subsequently finding a scalable way to decrypt that data, won't count for market resolution.
If individual attacks are required per user, that won't count as a breach for relevant purposes. (Otherwise both Bitwarden and 1password would almost certainly count as already compromised, since keylogger malware exists and is effective as a means of individual-user-targeted attack against anyone not using the right sorts of 2FA.)