We’ve been testing many password managers over the years and there’s one question that continually comes up: What is the best password manager?
The answer to this is a bit tricky, since there is no one-size-fits-all solution, and the best password manager varies for every user. It all depends on your needs and what you want your password manager to do. And of course, in an age of increasing security threats and risks, you not only need a good password manager, you also need to be able to create strong passwords.
Best password managers for 2022
So let’s cut to the chase.
Here are the best password managers that weāve tested:
NordPass ā Best password manager app with premium features
You might consider NordPass to be the younger brother of NordVPN, one of the best VPN services we’ve tested to date. NordPass seems to benefit from the years of experience gained by the Nord team. It is easy to use and backed up by the full resources of Nord.
NordPass uses the advanced XChaCha20 encryption protocol to ensure that no one can hack your passwords by breaking the encryption. We found NordPass easy to install and configure, and it comes right out of the gate with clients for Windows, mac OS, Linux, iOS, Android, and all the major web browsers.
We’re happy to report that Nord’s engineers addressed the one glaring problem we had with the initial release of NordPass–the lack of a category for personal information. NordPass 2 fixed that problem and has numerous minor changes that make the password manager even easier to use than before. The NordPass user interface is not only easier to use and more logical than before, it is very similar to that of NordLocker, another new member of the Nord family of security products.
While NordPass isn’t open source, the fact that it comes from one of the most trusted companies in the internet security space, and the fact that the product got good marks in its recent independent security audit make us comfortable recommending you take advantage of the NordPass free trial before choosing your next password manager.
See our NordPass review for more info.
Bitwarden ā Free, open-source password manager app
Bitwarden has been around since 2016 and it is currently my top pick for the best password manager. It is completely open source, has been audited, and offers some great apps and browser extensions.
Bitwarden stores credentials securely in the cloud, but can also be used offline in a read-only state. This functionality offers great cross-platform compatibility, allowing your passwords to be synced and accessed by simply logging in to your account. Encryption is carried out locally, with data stored securely on Bitwarden servers. And if you donāt want to store anything on Bitwarden servers (cloud), you can host your own Bitwarden instance.
The free version should provide ample features and functionality for most users, but you can also upgrade to different paid plans. While we love Bitwarden, 1Password might be a better choice for enterprise clients.
Whichever plan you choose, it is easy to make the move to Bitwarden. Thatās because Bitwarden knows how to import your passwords from over 40 password managers, as well as from most web browsers.
https://bitwarden.com/
See our Bitwarden review for more details.
1Password ā A secure password manager app
All the best password managers use strong encryption to keep your data secure. But even the strongest encryption is vulnerable if you choose a weak master password. Thatās because your master password is used as the encryption key for your data. And easy to remember master passwords are usually weak master passwords. 1Password solves this problem with an auto-generated Secret Key. The Secret Key is combined with your master password to create an uncrackable encryption key, one much stronger than you could possibly memorize.
1Password securely stores your credentials in the cloud, while maintaining an encrypted copy on your devices for those times when you donāt have an internet connection. Their innovative Travel Mode lets you remove credentials from your device with just a few clicks. This protects your privacy from overly inquisitive border guards or anyone else who might get their hands on your device. It only takes moments to restore the removed credentials once you are somewhere safe.
1Password is not open source, but both the company and the software have gotten good marks in recent independent security audits. 1Password plans has plans for every audience, from individual users to large enterprises.
Get started with 1Password here >>
See our 1Password review for more details.
KeePassXC ā Locally-hosted password manager
Unlike Bitwarden, which stores passwords securely in the cloud, KeePassXC stores passwords locally and requires no internet connection. Not hosting password in the could somewhere has both advantages and disadvantages. And with all the news of cloud security issues, we can understand how people could be nervous with data stored elsewhere.
Hereās a brief explanation of KeePassXC from their website:
KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bug fixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
KeePassXC is very powerful and flexible, but it is more geared to engineers, computer professionals, and other technically-inclined people than our other favorites.
The KeePassXC project is open source with regular updates and improvements, which you can follow on their blog.
Get started with KeePassXC here >>
Our KeePass review has more info on both KeePass and KeePassXC.
We will continue to update this guide with new info and any other changes to our recommendations.
Feel free to leave your feedback below.
This guide on the best password managers was last updated on January 10, 2022.
Not exactly a manager and certainly not a solution for all demands, but I was missing at least some hint at vaultless, on-the-fly generators in the vein of LastPass. It’s been years since I last used any of those clumsy and often weighty “traditional” managers with some sort of retention, safe or “vault”, it never felt quite right anyway. Especially at the point when you’d need a whole database, you’re probably doing something wrong more generally and would be better served with dedicated hardware/devices/cards. With very few exceptions for technical or practical reasons however I use LastPass for everything now, and before that already some similar, non-commercial though inferior realization implemented in Go. You may find others, although hardly as feature complete as LP. Don’t get confused, LastPass is partly commercial and there is a web interface but the relevant code’s on GitHub and can be used as is, or if you prefer only locally: I use the website only for mobile logins. Other than that it’s a foundation, no out-of-the-box solution like what is dealt with above, but with only a little scripting I was able to easily answer most of my needs and my setup is probably more comfortable, certainly more individual than anything the ready-mades could deliver. It won’t get more platform independent than that. It’s more elegant to compute your passwords than to statically stuff them somewhere like it’s some sort of treasure when a password should be throw-away. Is it also efficient? Intuitive? YMMV.
Another open-source password manager here. Padloc, which passed security audit.
https://padloc.app/blog/security-audit-ncc/
Advantages of Padloc:
– You can set the master password right from the Padloc app and not via your browser. This will avoid phishing attacks.
– With Bitwarden, you need to login to Bitwarden Vault via your browser and not from the app to change the master password.
– More beginner friendly as they encourage beginners to use passphrase instead of password.
– For review, you can search for Padloc review on ITSFoss.
– Data is hosted in Germay and not in the US according to their FAQs.
https://docs.padloc.app/questions/#why-should-i-trust-you%3F
Here is a question after several weeks of searching, and I will post here and on the browser page.
With all this talk about a third party password managers. There are indeed positives but also some negatives to this.
However, on KeePass, the passwords are not on the cloud server.
This brings me to the question about browser passwords. Normally no.
But Brave is open source. They do not store passwords in the cloud, and then any sync is done with client side encryption with encrypted pass phrase.
https://community.brave.com/t/is-brave-built-in-password-manager-safe/261968
This keeps the passwords encrypted on my end and then shared between my own devices.
Would you all consider this secure to use?
Absolutely not. I just found a third party freeware utility pack that can read Chromium passwords. Saving passwords on the cloud is not without its risks, but it certainly seems safer than storing it locally using the built-in Chromium password features.
Personally, I found that if you’re using Bitwarden on an iPhone/iPad or a PC it’s really good. However, with Android the developers don’t care much.
The Android version is painfully slow to retrieve your cloud log-ins and passwords. In contrast, with iOS, regardless of how old your device is, it’s almost instantaneous. Autofill rarely works on Android devices.
I think this is another example where Android was once ‘king’ in terms of developers preferring it over iOS, but that’s no longer the case it seems. Even many banking apps lack biometric features on Android but are the norm with iOS.
Hi SJ,
“iām no expert and this doesnāt *fully* answer your question, but ā 1password has a built-in TOTP qr code reader (compatible with just inputting the secret code as well), i donāt have an authenticator app downloaded and just use 1passwordās feature.”
I’m currently a paid user of Bitwarden. As well as the password manager, the paid version of Bitwarden contains totp 2FA. However, I’m in agreement with those who recommend not using a combined password manager & 2FA feature in the same app. That is since if a hacker manages to breach the defences of that product, it is catastrophic that they can steal passwords and totp info. Having 2FA in a separate product from the password manager provides an additional level of defence.
I think your point has some truth to it but keep in mind Bitwarden has AES-256 encryption making it extremely difficult for hackers to penetrate. There is the possibility of monitoring keystrokes through viruses, but using an open source keyboard app can make this difficult too.
To the best of my knowledge and up until recently, iOS did not have open source 2FA apps. Thankfully, now they do such as Raivo OTP & Tofu Authenticator. So the “all-in-one” solution was the best choice given the circumstances at the time.
Review Myki
They have been bought .. sadly … it was the best ( easy and functional) and more secure option even if it was not open source. I wish BitWarden get something from them. The non-cloud solution is great if you have devises spread in different locations . I feel the interface was quite convenient
how about Roboform I have used it for years, have tried others but always come back to roboform, am trying bitwarden now but I think roboform is easier
RoboForm doesn’t look like it’s open source so, in my view, is a reason not to use it. If you like it great! More power to you. But please be aware proprietary software enables the company that owns RoboForm to change the terms at any time and without notice. Meaning at some point you could become their product.
It will be a great add on a review of Myki pass manager
Great article as always Sven!
Do you know of any password managers that incorporate SSO (SAML) along with a traditional password vault for sites that do not support SSO? Would be nice to login once and then simply pass the auth tokens to sites instead of username / pass combo. Makes it easier to rotate passwords since its all tied to the SSO identity.
Hi Sven and everyone,
1) I’ve read this week re Redline malware exfiltrating passwords from browsers. If password exfiltration malware written to specifically target password managers, gets on to a device that is using a password manager such as Bitwarden, what’s to stop the malware exfiltrating the passwords from Bitwarden when Bitwarden is running in unlocked state?
2) Given the value of the data in password managers, I see why it makes sense to 2FA protect the password manager. Is there vulnerability in having a password manager on the same device as a 2FA smartphone app? I ask in the context of vulnerability to the services stored in the password manager that have 2FA tokens in the 2FA app.
1. Bitwarden can only be accessed through your master password. While Bitwarden does have browser extensions, these are connected to the password manager app on your desktop. So the Redline malware issue would not pose an issue for Bitwarden users, even if it was “unlocked” so far as I can tell.
2. No I don’t think that is an issue, and it’s still better than not having any 2FA at all. We have an article on 2FA options here.
Thanks Sven for the prompt reply you gave.
Please allow me to try to clarify my question which wasn’t intended to be Redline specific. To try to clarify:
1) Is it possible for Malware on an infected machine to exfiltrate the numerous user ids and passwords that are stored in Bitwarden, when Bitwarden is running in an unlocked state (if the malware has been written to specifically target password managers such as Bitwarden)?
2) I 100% acknowledge the benefits of 2FA and recommend 2FA to friends and family before I recommend password managers. My question is perhaps better phrased as this; does installing a password manager (e.g. Bitwarden, KeepassXC) on a device, potentially introduce a vulnerability that doesn’t exist when a device has a 2FA app (e.g. Aegis, Authy, Microsoft Authenticator) but not a password manager? In other words does having a 2FA and a password manager on the same device, introduce a potential vulnerability that can be exploited by malware seeking to extract the stored passwords from the password manager and the totp tokens that are in the 2FA app?
I hope this clarifies my questions.
Re the 2FA article, it would be great if you could also add reviews of 2FA smartphone apps.
Thanks again for this great website.
i’m no expert and this doesn’t *fully* answer your question, but – 1password has a built-in TOTP qr code reader (compatible with just inputting the secret code as well), i don’t have an authenticator app downloaded and just use 1password’s feature.
Sven,
What about Codebook? I understood that to be really good app.
What’s the opinion of Brave browser’s native Autofill/Pass feature? Running on Mint 20.2 desktop only. Safe?
Hi Sven!
Just wondering if it worth to mention Unix Pass? [https://www.passwordstore.org/]
The passwords are encrypted with the users own GPG key, they can be stored in any git repository (Github, Gitlab, Bitbucket, own server, whatever), therefore can synced between computers/phones. There are many ways to use it beside the command line: browser plugins, Alfred workflows, cross-platform clients.
Am I right if I say, the best privacy is if I donĀ“t have to agree any terms and conditions to a 3rd party provider?
Oh too bad! Mozilla is ending its support for Firefox Lockwise effective mid-December. As an alternative, I suggest Bitwarden which is on both iOS and Android.
https://www.zdnet.com/article/mozilla-ends-support-for-firefox-lockwise-password-management-app-strands-ios-users/
Hi Sven,
I see Sticky Password is not included in your list, although it is one of the popular password managers.
Could we get a review on it too?
@Jimmy please scroll down. Someone also raised the issue of Sticky Password a short time ago and I replied outlining why I thought it was not a good password manager.
Have you tested or investigated Abine Blur Password manager? There is a cost/premium but was checking to see what your thoughts were on this product. thanks
Hi Thomas, no, we have not gotten to that one.
Any one know any good 2fa authenticator, wont spy on you itself by the app,? Thanks
Aegis seems to be gaining credibility as an OSS 2FA app, taking over the space previously filled by andOTP which I believe I read the developer is scaling his involvement (anyone knows better, feel free to correct me).
I welcome a review of 2FA apps by the gurus who do such a great job running this website.
Mozilla is working on incorporating their password manager, Lockwise, into Firefox mobile browser that can be utilized with other apps.
https://www.androidpolice.com/2021/09/08/mozilla-wants-to-make-its-password-manager-obsolete-with-firefox-93-beta-apk-download/
Any thoughts on Firefox Lockwise?
It’s pretty good, but I’d still recommend one of the dedicated password managers discussed in the article.
This was a good move on Google’s part since NFC keys tend to be more secure than others who are not.
https://www.bleepingcomputer.com/news/security/google-drops-bluetooth-titan-security-keys-in-favor-of-nfc-versions/
Hi, what do you think about Remembear?
It doesn’t look like Remembear is open source. If not, I would not use it. I suggest Bitwarden as an alternative since it has much of the same features as Remembear but is cheaper. Remembear costs $6US a month while Bitwarden is $10US a year and you can buy more data if you need to.
https://bitwarden.com/