I have been covering cybersecurity for over a decade, and I have never felt less confident in commercial security products than I do right now. In December 2022, LastPass disclosed that attackers had stolen customers' encrypted password vaults — the entire database of credentials that millions of people trusted them to protect. By early 2023, blockchain researchers had linked over $35 million in cryptocurrency theft directly to decrypted LastPass vaults. This was not some theoretical vulnerability or a minor data leak. The company that existed solely to keep your passwords safe had handed the keys to your entire digital life to criminals, and then spent months downplaying the severity.
That was the breaking point for me, but it was not an isolated failure. In October 2023, Okta — the identity provider that guards access to corporate systems for thousands of companies — revealed that attackers had accessed its customer support system and stolen session tokens. The breach affected every single customer who had contacted Okta support. Cloudflare, 1Password, and BeyondTrust all confirmed they were targeted using stolen Okta data. Meanwhile, the MOVEit Transfer zero-day exploited by the Cl0p ransomware gang in mid-2023 compromised over 2,600 organizations and exposed data belonging to more than 77 million individuals. The common thread in all three incidents is that users had placed blind trust in proprietary vendors whose internal security practices were invisible, unauditable, and ultimately inadequate.
After the LastPass breach, I migrated every password, every secret, every TOTP token to open-source tools. It took a weekend. Over the following months, I replaced every proprietary security product in my stack with an open-source alternative. A year and a half later, I have not looked back. The tools are better, the transparency is real, and I sleep more soundly knowing that the software protecting my data does not rely on a marketing department's assurances. What follows is the case I would make to any security-conscious person or organization considering the same move.
The Fundamental Problem with Proprietary Security
The core issue is not that proprietary security companies are incompetent. Many employ brilliant engineers and researchers. The problem is structural. When a company's source code is closed, its security model is based entirely on trust. You trust that they implemented encryption correctly. You trust that they do not log plaintext data before encrypting it. You trust that they patch vulnerabilities promptly instead of quietly hoping nobody notices. You trust that their penetration tests are rigorous and not just compliance theater. And when that trust is violated, you find out months or years after the damage is done.
LastPass is the textbook example. For years, security researchers had publicly flagged concerns about their architecture — the fact that not all vault data was encrypted, that URL metadata was stored in plaintext, that their iteration count for PBKDF2 was dangerously low for older accounts. LastPass responded with blog posts and assurances. Because the code was closed, nobody outside the company could verify whether the underlying implementation matched those assurances. It did not. When the breach came, the low iteration counts meant that attackers could brute-force master passwords for accounts created before 2018 in a matter of hours on commodity hardware.
Contrast this with Bitwarden, the open-source password manager that has become the default recommendation among security professionals. Bitwarden's entire codebase — client, server, cryptographic libraries — is published on GitHub. Independent security firms have conducted multiple third-party audits, and the results are published publicly. When researchers find issues, they are visible in the issue tracker and fixed in the open. There is no question about iteration counts, encryption schemes, or data handling because anyone with the expertise can read the code and verify. This is not a theoretical advantage. It is the reason Bitwarden has never had a breach comparable to LastPass, 1Password, or Dashlane's various security incidents.
The security principle at work here is Kerckhoffs's principle, formulated in 1883 and still the foundation of modern cryptography: a system should be secure even if everything about the system, except the key, is public knowledge. Proprietary security software violates this principle by design. Its security depends partly on the secrecy of its implementation. Open-source security software embraces it. The encryption is strong not because no one can see how it works, but because everyone can see how it works, and it holds up anyway.
My Open-Source Security Stack: What I Actually Use
Let me be specific about what I replaced and what I replaced it with. This is not a theoretical exercise — these are the tools I use daily across my personal machines, my phone, and the systems I manage for Compass Reviews. Every one of these tools is free or has a free tier that covers individual use, and every one has source code you can inspect, compile, and self-host if you choose.
My current open-source security stack:
- Password manager: Bitwarden (replaced LastPass) — end-to-end encrypted, audited by Cure53, supports TOTP, passkeys, and organizational vaults. I run the self-hosted Vaultwarden fork for my personal server, which gives me complete control over the data at rest. Bitwarden's browser extension auto-fills on every platform, the mobile app supports biometric unlock, and the Teams plan includes SSO and SCIM provisioning for organizations. It is the single most impactful security upgrade most people can make.
- Messaging: Signal for sensitive conversations — open-source and independently audited.
- Browser: Firefox for everyday browsing — open-source, no advertising business model.
- VPN protocol: WireGuard for network privacy — lean, auditable, roughly 4,000 lines of code.
- Local password storage: KeePassXC (used alongside Bitwarden for cold storage) — an offline, encrypted password database for recovery codes, crypto seeds, and anything I want airgapped. The database file never touches a network. KeePassXC supports hardware key challenge-response with YubiKey, has a built-in TOTP generator, and its database format (KDBX 4) uses Argon2 key derivation — the same memory-hard algorithm recommended by OWASP for password hashing. For anything too sensitive to store in the cloud, KeePassXC is the gold standard.
The migration was less painful than I expected. Bitwarden imports directly from LastPass, 1Password, Dashlane, and KeePass formats. Signal took about a week of convincing close contacts to install it — most already had it on their phone and just were not using it. Firefox's sync feature works identically to Chrome's for bookmarks, passwords, and open tabs. WireGuard required the most technical setup, but there are excellent guides from the Arch Wiki and the official documentation, and once configured it is completely maintenance-free.
The daily experience of using these tools is, frankly, indistinguishable from their proprietary counterparts. Bitwarden auto-fills credentials in every browser and on mobile. Signal handles group chats, voice calls, video calls, and file sharing. Firefox renders every website I visit without issue and is measurably faster than Chrome on memory-constrained machines. The idea that open-source software requires sacrificing usability is a decade out of date.
Addressing the Counterarguments
The most common objection I hear is that open-source software is less secure because attackers can read the code and find vulnerabilities. This argument sounds intuitive but is empirically wrong. The Heartbleed vulnerability in OpenSSL, often cited as evidence against open-source security, was actually discovered and patched because the code was readable. The vulnerability existed for two years before discovery — but proprietary software regularly harbors vulnerabilities for far longer. Microsoft's PrintNightmare and Zerologon vulnerabilities persisted for years in closed-source code that nobody outside Microsoft could audit. The difference is that with open-source, thousands of eyes are looking. With proprietary code, you are relying on one company's internal security team and hoping they are good enough.
Another objection is sustainability. Who maintains these tools? Who funds them? This is a legitimate concern, but the landscape has matured. Bitwarden is a profitable company with a venture-backed business model selling Teams and Enterprise plans. Signal is funded by the Signal Foundation, a nonprofit with a substantial endowment from Brian Acton, co-founder of WhatsApp, who left Meta specifically over privacy disagreements. Mozilla generates over $500 million annually through search partnerships. WireGuard is included in the Linux kernel itself, maintained by Jason Donenfeld and a global community. These projects are not fragile side projects — they are well-funded, professionally maintained, and in several cases more financially stable than the proprietary companies they compete with.
A third objection targets self-hosting: not everyone has the technical ability to run their own servers. This is true, and it is also irrelevant. You do not need to self-host to benefit from open-source security tools. Bitwarden's cloud-hosted service works identically to any SaaS product — you sign up, install the extension, and go. Signal requires no server configuration at all. Firefox is a standard desktop application. The option to self-host is an additional benefit for advanced users and organizations, not a requirement. Open-source means the code is transparent, not that you must operate the infrastructure yourself.
The final counterargument worth addressing is the claim that commercial vendors offer better customer support. In my experience, this is more perception than reality. LastPass's support during their breach was widely criticized as slow, evasive, and unhelpful. Okta's post-breach communication was so poor that customers learned the scope of the incident from third-party security researchers, not from Okta itself. Meanwhile, Bitwarden's community forums are active and responsive, Signal has thorough documentation, and Firefox's support resources are extensive. For organizations that need guaranteed SLAs, Bitwarden's enterprise plan includes priority support. The support argument made sense in 2010. It does not hold up in 2026.
The Bigger Picture: Transparency as a Security Requirement
What the LastPass, Okta, and MOVEit incidents should teach us is not just that these specific companies failed. It is that the model of trusting opaque vendors with our most sensitive data is fundamentally broken. When you use a proprietary security tool, you are making a bet that the company behind it has good engineering practices, responsible disclosure policies, competent incident response, honest communication, and aligned incentives. The track record of the last three years suggests that bet loses more often than it wins.
Open-source software is not a guarantee against breaches. No software is. But it changes the trust model in a critical way. Instead of trusting a company's claims about their security, you can verify those claims. Instead of waiting for a breach disclosure that may come months late and heavily lawyered, you can monitor the codebase for changes that affect your security posture. Instead of hoping a vendor's internal audit was rigorous, you can read the audit report yourself — or commission your own. This shift from trust to verification is the same principle that underpins zero-trust networking, reproducible builds, and modern supply chain security. It is time we applied it to the tools we use to protect ourselves.
I am not arguing that every piece of software you use must be open-source. That is impractical and unnecessary. I am arguing that the software responsible for your most critical security functions — managing your passwords, encrypting your communications, protecting your network traffic, safeguarding your browsing privacy — should be transparent and auditable. These are the highest-stakes categories, where a single vendor failure can expose your entire digital life. For everything else, use whatever works. For security, demand to see the code.
The tools exist. They are mature, usable, and in many cases superior to their proprietary competitors. Bitwarden is a better password manager than LastPass ever was. Signal is the most secure messaging app available on any platform. Firefox is a world-class browser backed by an organization that genuinely prioritizes user privacy. WireGuard is the most elegant VPN protocol ever written. KeePassXC is a bulletproof local vault that has never phoned home, never been breached, and never will be, because it never connects to the internet. The only thing standing between you and a more secure digital life is inertia.
Make the switch. It takes a weekend. You will wonder why you waited so long.