
Currently, the two best-reputed password managers on the market seem to be 1password and Bitwarden. Neither of them, as far as I'm aware, has yet suffered a major breach of user secrets. But, given sufficiently many determined attackers over a sufficiently long time, this state of affairs seems unlikely to last forever.
This market will resolve to whichever of 1password or Bitwarden suffers a security breach, with user secrets leaked to plaintext, first. 'User secrets' here are those stored in the password-manager-vault itself; a breach wherein, for example, customer payment information is exposed, but only that used to pay the 1password or Bitwarden companies and not the rest of that which is locked away in the password manager, won't count for the resolution of this market.
In Bitwarden's case, resolution will be based specifically on a breach of the large bitwarden.com instance or of some comparably-large instance which may exist in the future; a breach of a small self-hosted instance which might be egregiously misconfigured won't qualify. 1password, as far as I'm aware, doesn't support hosting by anyone outside of their own company, but if they add such support in the future then similar considerations will apply there as well.
Possible clarification from creator (AI generated):
A breach that only exfiltrates encrypted user data without finding a scalable way to decrypt that data will not count for resolution
Individual user attacks that require targeting each user separately (like keylogger malware) will not count as a qualifying breach
Possible clarification from creator (AI generated):
A breach similar to the LastPass incident where encrypted vaults are exposed but still require cracking individual master passwords will not count for resolution
Unencrypted metadata that was not directly supplied by users (like last-used dates) will not count for resolution
However, exfiltration of any directly user-supplied data that is stored unencrypted (such as unencrypted usernames) would count for resolution