How to Read a Password Manager Security Audit: Cure53, ISE, SOC 2, and What Each Actually Covers
Different audit types check different things. Cure53 covers cryptographic implementation; SOC 2 covers organisational controls. Here is what each major password manager has actually published.
The three audit types that matter
(1) Cryptographic / penetration audit — a security firm (Cure53, ISE, NCC Group, Praetorian) examines the cryptographic implementation, server access controls, client apps, and reports findings with severity ratings. The audit is good when the full report is published with auditor name, date, and scope. (2) SOC 2 Type II — an organisational-controls audit covering security, availability, processing integrity, confidentiality, and privacy at the operational level over a 6+-month observation window. (3) ISO 27001 — a certification of an information-security management system. Type 1 ≠ Type 2, scope matters more than the badge.
What each manager has published
Bitwarden: annual third-party audits (Cure53, ISE, Insight Risk Consulting); reports linked from bitwarden.com/help/is-bitwarden-audited. 1Password: SOC 2 Type II + ISE penetration tests; security-audit history at 1password.com/security-audit. Proton Pass: Cure53 full security audit at launch (2023, no critical findings, moderate findings remediated pre-launch) per proton.me/blog/pass-launch. NordPass: Cure53 white-box audit Feb 2020, second Cure53 audit on NordPass Business 2021, SOC 2 Type 2, ISO 27001 certified per nordpass.com/features/security. KeePassXC: community-audited open source — no commissioned third-party audit, but the source is public on GitHub.
Red flags in audit marketing
(1) An audit performed by an accounting firm without a published security-firm name. (2) An audit scope limited to 'the application' without specifying which components. (3) An audit older than 24 months on a product whose architecture has changed. (4) A summary letter rather than a full report. (5) An audit performed before a major version release that materially changed the cryptographic implementation. None of the five managers in this comparison fit these patterns; the LastPass post-breach communications (excluded from this comparison) did exhibit several.
What an audit does not cover
Audits document what the security firm checked at one point in time. They do not cover supply-chain attacks (compromised npm dependencies in the client build), insider risk at the vendor, or new vulnerabilities discovered after the audit window. The defences against those are open-source clients (so researchers can verify each release independently — Bitwarden, Proton Pass, KeePassXC), bug-bounty programs (1Password runs Bugcrowd; Bitwarden runs HackerOne), and architectural choices like the 1Password Secret Key (an additional locally-stored secret that means a server breach alone cannot decrypt vaults).
Sources
Bitwarden audits: bitwarden.com/help/is-bitwarden-audited. 1Password security audits: 1password.com/security-audit. Proton Pass Cure53 audit: proton.me/blog/pass-launch. NordPass security: nordpass.com/features/security. Cure53: cure53.de. ISE: securityevaluators.com. All URLs accessed 2026-04-30.