First I should like to commend you on sharing your methodology and findings. Very much appreciated.

I am concerned, however, that the evaluation criteria appear not to have included anything related to the security of the application or the company developing it.

Not only does Bitwarden appear to not have any external audits of its information security management systems (e.g. ISO 27001 or AICPA SOC 2), it states on its website “All … security … guarantees are backed by Microsoft” (because Bitwarden runs on Azure). That strikes me as a gross misunderstanding of the shared responsibility model of cloud computing.

Compare that with LastPass and 1Password, both of which have SOC 2 Type 2 audits (although I cringe when I read 1Password refer to their SOC 2 audit report as a “certification”. It is not.)

As a former CISO and currently a consultant helping various cloud service providers with their security, I well appreciate the limitations of a SOC 2 audit or an ISO 27001 certification, but they mean something — something more than just a pen test and a code audit (which Bitwarden recently obtained).

Fascinating that you did not consider the security of the password manager company to be a factor when evaluating a security service.