Back to articles

Password manager extensions reviewed: Bitwarden vs 1Password security score, spoofing risks & alternatives

Bitwarden and 1Password extension security review 2026: permissions, privacy scores, and SquareX's polymorphic spoofing attack that Chrome can't patch.

Maxim Kosterin
9 min read

Your password manager extension is probably the most important extension in your browser. It holds the keys to everything — banking, email, work accounts. That's exactly what makes it the top impersonation target in a new class of attacks that Chrome literally cannot patch.

SquareX Labs disclosed a technique called polymorphic extension spoofing in early 2025 — and as of 2026, Google still hasn't issued a fix. I'm going to break down what it means for Bitwarden, 1Password, and LastPass users, and give you an honest security and privacy comparison so you know which one to trust with your vault.

Quick verdict

  • Bitwarden — open-source, independently audited, strong security model. Best free option.
  • 1Password — proprietary but excellent security design with a "secret key" that helps resist phishing. Best for teams and families.
  • LastPass — functional, but harder to recommend after two significant breaches in 2022. Vault data was stolen.
  • All three — equally exposed to the SquareX polymorphic spoofing attack via Chrome's management API. No patch available as of April 2026.

If you just want the quick answer: use 1Password or Bitwarden, keep your other extensions to a minimum, and read the spoofing section below so you know what a real attack looks like.

See also: What ETH Zurich's 25-attack study means for your vault — a deeper look at server-side zero-knowledge weaknesses in Bitwarden, LastPass, and Dashlane that sit alongside the spoofing threat covered here.

What these extensions actually do

Password manager browser extensions do three things: store and sync encrypted credentials, autofill login forms when you visit a matching site, and generate strong random passwords on demand. They're almost invisible until you need them — you install once, grant permissions, and mostly forget they're running.

The problem is those permissions are substantial. A password manager needs access to every site you visit to match your saved logins. That means requesting <all_urls> host permission — the same permission that red-flags most security scanners. It's unavoidable for the core autofill functionality, but it also means a password manager extension has a much larger privilege surface than, say, a dark mode extension.

When you see a password manager requesting "read and change all your data on all websites," that's not overreach — it's the price of autofill. What varies between extensions is what they do beyond that, and how carefully they've designed their security model.

The polymorphic spoofing threat

This is the piece that changes the calculus in 2026. SquareX Labs researchers found that any malicious Chrome extension can use Chrome's built-in chrome.management API — an API designed for enterprise IT admins — to enumerate every extension installed in your browser.

Once a malicious extension identifies a high-value target like a password manager, it can execute a multi-step attack: temporarily disable the real extension, clone its icon and popup HTML to look identical, and surface a fake "Session Expired" prompt. You click the icon because it looks like your password manager, you type your master password, and the attacker receives it.

The attack is contextual — it only triggers when you click the real extension's icon — which is why it's nearly invisible to automated security scans. According to SquareX Labs, Google has not issued a patch because the attack exploits intended behavior of the chrome.management API rather than a traditional vulnerability. Blocking the attack would require restricting legitimate enterprise extension management capabilities.

Every Chromium-based browser is affected: Chrome, Edge, and Brave. Firefox is not affected (it uses different APIs and extension isolation).

This is important context for the review below: none of the password managers I'm covering have a comprehensive defense against this attack. What I'm evaluating is their overall security model, permission design, and privacy practices — then giving you the mitigation advice that actually helps.

Bitwarden: open source, independently audited

Bitwarden is the strongest free option in this category, and it's not close. The full source code — client apps, browser extension, and server — is publicly available on GitHub. That means the security community can verify what it actually does, and multiple independent firms have done exactly that. Trail of Bits audited Bitwarden in 2022; Cure53 audited it in 2023.

Permissions: tabs, <all_urls>, storage, unlimitedStorage, alarms. No cookies permission (unusual and positive — it means Bitwarden isn't touching your active sessions), no webRequest blocking. The autofill functionality is opt-in for each site rather than injected globally.

Privacy: Bitwarden doesn't sell data. It doesn't use ad tracking in its extension. You can self-host the entire backend if you distrust the cloud service. The EU-hosted option is available for GDPR-conscious users.

Weakness: E2E encryption is strong, but Bitwarden has had past vulnerabilities in its browser extension autofill logic. The 2022 Trail of Bits audit found an iframe-based autofill issue that could expose credentials to malicious sites. Bitwarden addressed it, but it's a reminder that autofill is the hardest security surface to get right.

You can view Bitwarden's full permission and security scan on Extenshi: Bitwarden Password Manager on Extenshi.

1Password: proprietary but the most thoughtful security design

1Password costs money ($2.99/month personal, $4.99/month families) and the source code isn't public. Those are real tradeoffs compared to Bitwarden. What you get in return is a security model that's been designed with unusual care.

The standout feature is the Secret Key: a 128-bit random key generated locally when you create your account. Your master password alone is not enough to decrypt your vault — you also need this Secret Key. Even if 1Password's servers were breached and your encrypted vault was stolen, an attacker would need both your master password AND your Secret Key to access anything. This is a meaningfully stronger design than most competitors.

Permissions: tabs, storage, unlimitedStorage, alarms, cookies, <all_urls>. The cookies permission is used to match saved logins to domains by inspecting first-party cookies — 1Password is upfront about this in its privacy documentation.

Privacy: 1Password publishes transparency reports and has been audited multiple times (most recently by Cure53 in 2024). It doesn't sell data, and it supports privacy-sensitive enterprise deployments.

Weakness: It's proprietary. You can't verify the extension code yourself. You're trusting 1Password's processes and auditors, not your own review. That's a genuine philosophical distinction from Bitwarden.

Check 1Password's full profile on Extenshi: 1Password – Password Manager on Extenshi.

LastPass: still usable, but carries real baggage

I'll be direct: LastPass is harder to recommend in 2026. In 2022, the company suffered two separate security incidents. The second breach, disclosed in December 2022, involved an attacker stealing encrypted password vaults along with metadata including usernames, URLs, and billing information. LastPass confirmed this publicly, and the investigation showed the attacker had access to internal systems for months.

Encrypted vaults aren't immediately useful to attackers — the encryption itself holds up if your master password is strong and unique. But the incident demonstrated a failure in operational security that eroded a lot of trust.

Permissions: tabs, storage, <all_urls>, notifications, contextMenus. No cookies, no webRequest.

Privacy: Post-breach, LastPass restructured significantly and split from parent company GoTo. Their security posture has improved, and independent audits have continued. But the breach legacy is a legitimate factor in trust evaluation.

If you're currently on LastPass, I'd suggest migrating to Bitwarden or 1Password — Bitwarden has a free import tool that accepts LastPass CSV exports and takes about ten minutes.

How to spot a polymorphic spoofing attempt

Since there's no patch, here's what practical detection looks like.

Your password manager extension shouldn't randomly ask you to re-enter your master password during a browsing session. If you click the extension icon and see a "Session Expired" or "Re-authenticate" prompt when you were just using it five minutes ago — stop. Don't enter anything. Open your browser's extension manager (chrome://extensions/) and check that your password manager is still enabled and shows the correct developer (e.g., "Bitwarden Inc." or "1Password").

If you see two entries with similar icons, or if the extension suddenly shows as disabled, something may have tampered with it.

Reducing your overall extension footprint is the best mitigation. Every extension you install is a potential attacker. A minimal set of well-vetted extensions dramatically reduces your polymorphic spoofing exposure — the attack requires a malicious extension to already be running. You can audit your full extension list, including any with suspicious permission profiles, at catalog.extenshi.io.

Alternatives worth considering

Browser built-in password manager (Chrome Passwords / Firefox Lockwise): Zero extension surface area. Syncs via your Google or Mozilla account. Not as feature-rich, but if you mostly just need autofill and generation, built-ins have improved a lot. No third-party trust required.

Dashlane: A solid mid-tier option. Audited regularly, good UX, privacy practices are reasonable. Slightly pricier than Bitwarden at the paid tier. The ETH Zurich 25-attack study from USENIX Security 2026 found only one password disclosure scenario in Dashlane — better than Bitwarden's performance in that specific study.

KeePassXC with no browser extension: Offline vault, zero network exposure, open source. The tradeoff is manual copy-paste for most workflows. But if you want maximum security and don't mind the friction, it's the only option with no attack surface from extensions at all.

Final recommendation

Use 1Password if you can afford it and you're securing a family or team. The Secret Key architecture is genuinely stronger for the scenario where your vault data is ever exposed.

Use Bitwarden if you want a free, open-source option with a solid track record. Pair it with a minimal extension footprint.

Avoid LastPass if you're starting fresh. The breach history is documented fact, and the alternatives are better.

Regardless of which password manager you choose, the bigger security lever is what else you have installed. A carefully chosen password manager can still be impersonated by any malicious extension you've carelessly installed alongside it. Your extension hygiene matters more than your choice of password manager brand.


See the full security report for Bitwarden on Extenshi →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles