>We present 12 distinct attacks against Bitwarden, 7 against LastPass and 6 against Dashlane

They also discuss 1Password. no authentication of public keys, vulnerable to vault substitution attack (it does not authenticate vault keys) and KDF Parameter Downgrade (a malicious server can reduce the iteration count from the default 650,000 iterations to a minimal value of 10,000 iterations.)

Discussion (84 points, 5 days ago, 83 comments) https://news.ycombinator.com/item?id=47105052