NordPass is the new kid on the secure password manager scene. A sibling of NordVPN, a popular VPN service that has done well in our testing. Given this background, people have had high expectations for NordPass Password Manager. Given that the product is only a few months old, we held off a bit on this review to give them a chance to get their feet under them. After all, some of the big name competitors in this space have been around for a decade or more.
But we’ve waited long enough. Time to put NordPass through the tests and see how it stands up to those competitors.
Let’s begin this NordPass review with a quick look at the pros and cons of this newcomer to the password manager scene:
- End-to-end, zero knowledge encryption
- All items stored in the cloud and on your devices
- Categories for Logins, Secure Notes, Credit Card details
- Data encrypted using XChaCha20
- Key derivation using Argon2
- Data encrypted in transit and at rest
- Optional 2FA support
- Recovery code for account recovery
- Secure sharing of items with other people
- Supports all major operating systems, browsers, and mobile devices
- Based in Panama
- Must provide a valid email address
- May collect and share user data
- May be forced to disclose user data
- No telephone support
- No Identity/Forms category
NordPass feature summary
Here’s a quick summary of the full set of NordPass features:
- Apps for Windows, Mac OS, Linux, iOS, Android, and leading web browsers
- Advanced encryption XChaCha20 and key derivation Argon2 algorithms for superior security
- Zero-knowledge architecture that ensures not even NordPass can read your data
- Flexible authentication options including 2FA and biometrics
- Secure password import/export/sharing
- Based in privacy-friendly Panama and supported by a leading privacy and security company, NordVPN
Tefincom S.A., the parent company of the NordPass Password Manager, began in 2012 with the creation of NordVPN. The company is based in Panama. Panama is not part of the 5 Eyes / 9 Eyes / 14 Eyes intelligence alliances, and does not have any mandatory data retention laws. This makes Panama one of the best places in the world for a privacy and security company to operate.
NordPass Terms of Service
I read through the NordPass Terms of Service (ToS), updated 10/17/19, to see if there was anything in them that you should know about. Here’s what I found:
- The ToS state that you can use the Free version of NordPass without creating an account, but in that case, all your data will be stored only on your device. If you want your data backed up, you need to create an account.
- You can claim a refund within 30 days following your purchase. However, this is not the usual no-questions asked. The company wants a chance to resolve your problem, stating, “…we would like to troubleshoot an issue you experience first. There are common service configuration issues that may hinder the Services for you, and we resolve most of the encountered user issues.”
- Refunds for payments made with cryptocurrencies (yes, NordPass accepts crypto) will be refunded with the same US dollar amount of the same crypto at the current rate of exchange.
- You can cancel a recurring subscription but NordPass will not refund the unused part of the ongoing service period.
- The company encourages you, “let us know about the violation of these Terms by any NordPass users; however, in case of such violations, we may take appropriate action at our sole discretion.”
There is also the typical long list of bad things you can’t use the service for (cyberwarfare, hacking the system, etc.), including this one: you won’t “violate general ethical or moral norms, good customs and fair conduct norms.” I’m not sure how the company would decide on this. Fortunately, thanks to their zero-knowledge design, the chance of this clause coming into effect seems very small.
The service collects a good bit of information about people using the service. In addition to the typical things (email address, billing info), they collect:
- Email optimization data – Including your IP address, location, device information and track the actions such as unsubscribes or email forwards.
- Application diagnostics – Aggregated and anonymized diagnostic information including crash reports.
- Anonymized app usage statistics – Including the number of passwords and secure notes stored, the date when the item was created, how the password was created (e. g. imported, autosaved, created manually), the strength of your passwords in percentage (e. g. 85% of your passwords are very strong), the strength of your master password, the percentage of suggested passwords used, and the number of different folders you have.
- Device information – Such information is logged automatically and may include your IP address, browser type, operating system version and similar non-identifying information.
- Device identifiers – They may record your device’s advertising ID for marketing or analytics purposes. Happily, you can disable the advertising ID in Windows 10.
- Like most others, the company does share your personal information with these outside parties: third party service providers, affiliated companies within their corporate structure, and as needed for legal purposes.
- People under the age of 16 can only use the service under supervision of parents or guardians.
NordPass security audits
NordVPN had some issues in the past. NordPass didn’t exist back then, and the company appears to have addressed the past issues. Even so, it is great to see that NordPass has had serious security assessment. The work was done by Cure53, a German IT company that has conducted audits on Bitwarden and several other security/privacy services in the last few years. How did NordPass make out in the audit? Here’s what the Cure53 report had to say:
Numerous positive observations have been made in relation to the level of detail and adherence to the specification, clarity and readability of the Go code and implementation, overall security of the desktop application, browser extension, as well as iOS and Android branches of the NordPass applications.
– Cure53 Report, 2020 February
Cure53 has also performed security audits on ExpressVPN and other VPN providers.
NordPass offers a complete range of apps for connecting your devices to their servers. This includes:
- Windows, Mac OS, and Linux desktops
- Android and iOS mobile devices
- Browser extensions for Chrome, Firefox, Opera, Brave, Edge, and Vivaldi
You’ve already gotten a glimpse of the Desktop apps, so let’s talk about the mobile apps now.
NordPass mobile apps
The NordPass mobile apps are attractive and have some excellent features, but they get only mediocre scores in their respective app stores. I can only assume that the apps will improve in time, given that the product is only a few months old and the world is in the midst of the Coronavirus madness right now.
On a more positive note, here are some of the features the company has recently added to NordPass mobile apps:
- OCR scanning – To read business cards and written notes and automatically import their content into the NordPass Vault.
- Biometric login – Uses Face ID or the fingerprint reader to log into the vault.
- Autofill – You can configure NordPass to recognize your favorite websites and log you into them with a single click.
- Offline access – Now you can access your NordPass Vault when your device is offline.
- Tablet support – NordPass now supports both Android and iOS tablets.
NordPass browser extensions
The browser extensions give you basic NordPass functionality. You can work with your items and add new items as necessary.
NordPass hands-on testing
For this NordPass review, I installed the 7-day Premium trial version of NordPass on a Windows 10 laptop and a Samsung S9+ smartphone. The Premium version gives you all the features of the free version, along with the ability to share items and the ability to sync and access your passwords across multiple devices. The free version supports only a single simultaneous connected device.
To install NordPass, you download the version for your device and launch it. You’ll be required to enter a valid email address. Nord will send a confirmation email to that address. Clicking the link in the email takes you to a page that will walk you through creating your Master Password and the rest of the installation process. You need to enter both your email address and the Master Password to get access to any of your NordPass items. At the end of the process, NordPass will give you a recovery code that you can use to regain access to your vault if you lose your Master Password.
Next, it will offer you the option to add NordPass to any and all of the web browsers it finds on your system. Once you complete that process, you are ready to use NordPass. The first thing you will see is your empty Password Vault.
You should also see a NordPass icon on the Windows desktop that launches the vault.
NordPass can protect several categories of information:
- Logins – Login information for websites. You can generate new passwords for sites here as well.
- Secure Notes – Freeform (text only) notes such as WiFi login information or important personal notes you want kept safe.
- Credit Cards – Keep copies of all your credit card information here.
- Shared Items – Set up secure sharing of NordPass Vault items here.
- Settings – Adjust how NordPass works, import or export items, and much more.
One category that would be nice to see NordPass add is Identity or Forms. This category is for holding the kind of personal information we constantly need to enter into websites and documents. Things like your name, address, passport number, and so on. Many competitors have a place for this kind of information, such as with LastPass, and I assume that NordPass will add it eventually.
Of course, before you can do anything useful with the vault, you need to add some items to it.
Adding logins and other items to NordPass
Like the other password managers, if you are already using a password manager on your device, NordPass may be able to automatically import items from that product. Given what a pain in the neck it is to manually enter all your passwords, let’s hope that NordPass can import from the password manager you are currently using.
You do this on the Import/Export tab of Settings. Here is what the import options look like as of mid-March 2020.
The Other option at the bottom of the list is for importing items from other sources. It accepts CSV files from wherever, and gives you at least a fighting chance to import all that data instead of entering it manually.
Manually entering logins and other items
Of course, you can also enter items manually. Simply decide what category it belongs in, open that section of the NordPass Vault, and click the Add link. NordPass will display the appropriate form to enter the data for the item. Here’s what the form for entering Logins looks like:
As you can see, the form can also generate a password if you need one. We’ll talk about the password generator in more detail in the next section.
Letting NordPass capture Logins itself
There is one additional way to get login information into NordPass: let the app capture the information itself. If you log into a website while NordPass is installed and active, it can capture that login information. Once you log in, you should see a box like this one, asking if you want to save the login information.
The next time you visit that website, you can click a NordPass icon in one of the login fields to log into the website.
Working with your passwords
To work with your items, open the NordPass Vault and use the Search NordPass box to find the particular item you are interested in. Options that are relevant to the type of the object will appear to the right, like this:
Alternatively, you can double-click the item name itself to open the item for editing.
That’s really all you need to know… except we still need to talk about the password generator.
NordPass password generator
In this age of endless hacking and spying, it is vital that you have a strong password for each website you rely on. The NordPass password generator makes it easy to create those strong passwords.
When you need a password for an item, simply open that item in the NordPass Vault and click the Generate link. The following dialog box will appear with a brand new password for you.
The default password length is 12 characters, but the generator can create passwords as long as 60 characters, surely enough to protect even the most valuable information.
The generator gives you additional options for special requirements, including the ability to create passwords with or without:
- Uppercase characters
- Lowercase characters
- Ambiguous characters
While there is nothing particularly outstanding about the NordPass password generator, it is quite acceptable and should meet all but the most exotic password needs.
Note: You can use a web-based version of the password generator on this page.
NordPass in action
Using NordPass is straighforward.
When you visit a webpage that accepts login credentials you will normally see the NordPass icon in any input fields that NordPass recognizes. Having these icons appear in recognized fields can speed up your logins slightly.
Note: Placing the icons in recognized fields contrasts with password managers like our top pick, Bitwarden. Bitwarden requires you to click its icon in the top right corner of the browser window to see your login options. While the difference in speed is tiny, you’ll be happy to know that NordPass uses the “faster” approach.
Click one of those icons and NordPass will display a LOG IN WITH list (circled in red below) with all the Logins it has stored for that particular site.
Be aware that some websites use nonstandard login screens. This means that NordPass might not always be able to fill the fields for you. In such a case, you can go into the NordPass Vault and open the item manually, copying any data you need and pasting it into the appropriate locations on the webpage.
For other items
To work with Secure Notes, Credit Cards, Shared Items (or even the NordPass Trash bin) open the NordPass Vault and navigate to the item you want to work with.
Additional NordPass features
As NordPass is still new on the scene, its feature list is still growing. Here are some of features that boost the value of this newcomer:
Password Strength Checker
NordPass has a standalone password strength checker that you can reach here. Enter a password here and the site will not only rate the strength of any password you enter, it will show you characteristics your password lacks (no uppercase characters or less than 12 characters long, for example). It will also tell you if the password you entered has appeared in any data breaches.
Random username generator
This tool helps you generate random usernames that take the form of strings of words that would be relatively easy to remember while still being random and hard to guess. Try it out here.
Two-factor authentication (2FA)
For additional security, you can enable two-factor authentication for NordPass Password Manager. Configure NordPass to work with a mobile authenticator such as Google Authenticator or Duo Mobile, and you’ll need to enter the authentication code they generate before you can log in to NordPass. You can find the instructions for enabling 2FA on this page.
If you are a Premium plan member you can share items with other NordPass users. Items you share will also appear in the Shared Items section of the NordPass Vault, making it easy to keep track of what you have shared and with whom. While you must be a Premium plan member to share your items, the people you share them with can be Free plan members.
To ensure that no one snoops on the items you share with another NordPass user, you can turn them into a Trusted Contact. By exchanging public keys you create an encrypted connection with that user that you can count on to be secure. More details here.
NordPass customer support is provided by the support team at NordVPN, which I have found to be very good. They provide 24/7 support by email, and have a presence on Twitter and Facebook. The Help center has a good collection of useful articles which will probably grow as the product gets more use.
How secure and private is NordPass?
Remember that NordPass just passed a comprehensive security audit by Cure53. Combine that with client-side encryption using advanced algorithms like XChaCha20 and Argon 2, I think we can declare the product secure.
NordPass Password Manager prices
NordPass pricing is pretty simple. There is a Free plan and three Premium plans. Let’s see what you get with each and see what kind of value they offer.
The Free plan is, of course, free of charge. This plan has a few limitations which might motivate you to upgrade to a Premium plan. Here are the drawbacks to the Free plan:
- You can only have one active NordPass session at a time. For example, if you are using NordPass on your desktop and decide to fire it up on your phone, you will be logged out of your desktop.
- You can’t share encrypted passwords with other people. You can receive shared passwords from others but you can’t share your passwords with them.
- You can’t have Trusted Contacts.
Premium price plans
If you move up to a Premium plan you get several benefits. These include:
- You can use NordPass on up to six devices simultaneously.
- You can share your encrypted passwords with other people.
- You can use Trusted Contacts.
So now the question is, how much will these extra benefits cost you? That depends on which plan you choose:
The 1-month plan is currently $4.99 per month. That’s a higher price than most of the competing products I’ve reviewed, and they are all more mature with more features.
Things improve quickly when you move to longer-duration plans. The 1-year plan costs $35.88 billed every year. That makes its equivalent monthly price $2.99.
The 2-year plan is an even better deal. It runs $59.76 billed every two years, for an equivalent monthly price of $2.49. This puts it in line with the rest of the industry leaders.
If you are looking at NordPass you are probably looking for a basic password manager with good security. In that case, I suggest you investigate Bitwarden. They offer a strong free plan, and their Premium plan includes important things that NordPass lacks, like that Identity category we are waiting for. The Bitwarden code is open source and has been audited by Cure53.
If you are looking for extra strong encryption, you might consider 1Password. It is a quality product that offers good value at a reasonable price The security model is excellent, and their Support team gets great reviews. In addition, their Travel Mode is a great idea that I would love to see implemented in other password managers.
NordPass review conclusion
NordPass is a promising start from one of the leaders in the VPN space, NordVPN. While it handles all the basics well, it doesn’t yet match the competition, either in features or in bang for the buck. With time, NordPass could become a contender in the secure password manager space, but they aren’t there yet.
Password Managers – Our main guide on this topic.
Password Manager Reviews – Other reviews we’ve done.
Privacy Tools – An in-depth list of important privacy and security tools to keep your data safe.