We’ve been testing many password managers over the years and there’s one question that continually comes up: What is the best password manager?
The answer to this is a bit tricky, since there is no one-size-fits-all solution, and the best password manager varies depending on your needs and uses. And of course, in an age of increasing security threats and risks, you not only need a good password manager, you also need to be able to create strong passwords.
Best password managers for 2022
So let’s cut to the chase.
Here are the best password managers that we’ve tested:
Bitwarden – Free, open-source password manager app
Bitwarden has been around since 2016 and it is currently my top pick for the best password manager. It is completely open source, has been audited, and offers some great apps and browser extensions.
Bitwarden stores credentials securely in the cloud, but can also be used offline in a read-only state. This functionality offers great cross-platform compatibility, allowing your passwords to be synced and accessed by simply logging in to your account. Encryption is carried out locally, with data stored securely on Bitwarden servers. And if you don’t want to store anything on Bitwarden servers (cloud), you can host your own Bitwarden instance.
The free version should provide ample features and functionality for most users, but you can also upgrade to different paid plans. While we love Bitwarden, 1Password might be a better choice for enterprise clients.
Whichever plan you choose, it is easy to make the move to Bitwarden. That’s because Bitwarden knows how to import your passwords from over 40 password managers, as well as from most web browsers.
https://bitwarden.com/
See our Bitwarden review for more details.
NordPass – Best password manager app with premium features
You might consider NordPass to be the younger brother of NordVPN, one of the best VPN services we’ve tested to date. NordPass seems to benefit from the years of experience gained by the Nord team. It is easy to use and backed up by the full resources of Nord.
NordPass uses the advanced XChaCha20 encryption protocol to ensure that no one can hack your passwords by breaking the encryption. We found NordPass easy to install and configure, and it comes right out of the gate with clients for Windows, mac OS, Linux, iOS, Android, and all the major web browsers.
We’re happy to report that Nord’s engineers addressed the one glaring problem we had with the initial release of NordPass–the lack of a category for personal information. NordPass 2 fixed that problem and has numerous minor changes that make the password manager even easier to use than before. The NordPass user interface is not only easier to use and more logical than before, it is very similar to that of NordLocker, another new member of the Nord family of security products.
While NordPass isn’t open source, the fact that it comes from one of the most trusted companies in the internet security space, and the fact that the product got good marks in its recent independent security audit make us comfortable recommending you take advantage of the NordPass free trial before choosing your next password manager.
See our NordPass review for more info.
1Password – A secure password manager app
All the best password managers use strong encryption to keep your data secure. But even the strongest encryption is vulnerable if you choose a weak master password. That’s because your master password is used as the encryption key for your data. And easy to remember master passwords are usually weak master passwords. 1Password solves this problem with an auto-generated Secret Key. The Secret Key is combined with your master password to create an uncrackable encryption key, one much stronger than you could possibly memorize.
1Password securely stores your credentials in the cloud, while maintaining an encrypted copy on your devices for those times when you don’t have an internet connection. Their innovative Travel Mode lets you remove credentials from your device with just a few clicks. This protects your privacy from overly inquisitive border guards or anyone else who might get their hands on your device. It only takes moments to restore the removed credentials once you are somewhere safe.
1Password is not open source, but both the company and the software have gotten good marks in recent independent security audits. 1Password plans has plans for every audience, from individual users to large enterprises.
Get started with 1Password here >>
See our 1Password review for more details.
KeePassXC – Locally-hosted password manager
Unlike Bitwarden, which stores passwords securely in the cloud, KeePassXC stores passwords locally and requires no internet connection. Not hosting password in the could somewhere has both advantages and disadvantages. And with all the news of cloud security issues, we can understand how people could be nervous with data stored elsewhere.
Here’s a brief explanation of KeePassXC from their website:
KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bug fixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
KeePassXC is very powerful and flexible, but it is more geared to engineers, computer professionals, and other technically-inclined people than our other favorites.
The KeePassXC project is open source with regular updates and improvements, which you can follow on their blog.
Get started with KeePassXC here >>
Our KeePass review has more info on both KeePass and KeePassXC.
We will continue to update this guide with new info and any other changes to our recommendations.
Feel free to leave your feedback below.
This guide on the best password managers was last updated on January 10, 2022.
Personally, I found that if you’re using Bitwarden on an iPhone/iPad or a PC it’s really good. However, with Android the developers don’t care much.
The Android version is painfully slow to retrieve your cloud log-ins and passwords. In contrast, with iOS, regardless of how old your device is, it’s almost instantaneous. Autofill rarely works on Android devices.
I think this is another example where Android was once ‘king’ in terms of developers preferring it over iOS, but that’s no longer the case it seems. Even many banking apps lack biometric features on Android but are the norm with iOS.
Hi SJ,
“i’m no expert and this doesn’t *fully* answer your question, but – 1password has a built-in TOTP qr code reader (compatible with just inputting the secret code as well), i don’t have an authenticator app downloaded and just use 1password’s feature.”
I’m currently a paid user of Bitwarden. As well as the password manager, the paid version of Bitwarden contains totp 2FA. However, I’m in agreement with those who recommend not using a combined password manager & 2FA feature in the same app. That is since if a hacker manages to breach the defences of that product, it is catastrophic that they can steal passwords and totp info. Having 2FA in a separate product from the password manager provides an additional level of defence.
I think your point has some truth to it but keep in mind Bitwarden has AES-256 encryption making it extremely difficult for hackers to penetrate. There is the possibility of monitoring keystrokes through viruses, but using an open source keyboard app can make this difficult too.
To the best of my knowledge and up until recently, iOS did not have open source 2FA apps. Thankfully, now they do such as Raivo OTP & Tofu Authenticator. So the “all-in-one” solution was the best choice given the circumstances at the time.
Review Myki
They have been bought .. sadly … it was the best ( easy and functional) and more secure option even if it was not open source. I wish BitWarden get something from them. The non-cloud solution is great if you have devises spread in different locations . I feel the interface was quite convenient
how about Roboform I have used it for years, have tried others but always come back to roboform, am trying bitwarden now but I think roboform is easier
RoboForm doesn’t look like it’s open source so, in my view, is a reason not to use it. If you like it great! More power to you. But please be aware proprietary software enables the company that owns RoboForm to change the terms at any time and without notice. Meaning at some point you could become their product.
It will be a great add on a review of Myki pass manager
Great article as always Sven!
Do you know of any password managers that incorporate SSO (SAML) along with a traditional password vault for sites that do not support SSO? Would be nice to login once and then simply pass the auth tokens to sites instead of username / pass combo. Makes it easier to rotate passwords since its all tied to the SSO identity.
Hi Sven and everyone,
1) I’ve read this week re Redline malware exfiltrating passwords from browsers. If password exfiltration malware written to specifically target password managers, gets on to a device that is using a password manager such as Bitwarden, what’s to stop the malware exfiltrating the passwords from Bitwarden when Bitwarden is running in unlocked state?
2) Given the value of the data in password managers, I see why it makes sense to 2FA protect the password manager. Is there vulnerability in having a password manager on the same device as a 2FA smartphone app? I ask in the context of vulnerability to the services stored in the password manager that have 2FA tokens in the 2FA app.
1. Bitwarden can only be accessed through your master password. While Bitwarden does have browser extensions, these are connected to the password manager app on your desktop. So the Redline malware issue would not pose an issue for Bitwarden users, even if it was “unlocked” so far as I can tell.
2. No I don’t think that is an issue, and it’s still better than not having any 2FA at all. We have an article on 2FA options here.
Thanks Sven for the prompt reply you gave.
Please allow me to try to clarify my question which wasn’t intended to be Redline specific. To try to clarify:
1) Is it possible for Malware on an infected machine to exfiltrate the numerous user ids and passwords that are stored in Bitwarden, when Bitwarden is running in an unlocked state (if the malware has been written to specifically target password managers such as Bitwarden)?
2) I 100% acknowledge the benefits of 2FA and recommend 2FA to friends and family before I recommend password managers. My question is perhaps better phrased as this; does installing a password manager (e.g. Bitwarden, KeepassXC) on a device, potentially introduce a vulnerability that doesn’t exist when a device has a 2FA app (e.g. Aegis, Authy, Microsoft Authenticator) but not a password manager? In other words does having a 2FA and a password manager on the same device, introduce a potential vulnerability that can be exploited by malware seeking to extract the stored passwords from the password manager and the totp tokens that are in the 2FA app?
I hope this clarifies my questions.
Re the 2FA article, it would be great if you could also add reviews of 2FA smartphone apps.
Thanks again for this great website.
i’m no expert and this doesn’t *fully* answer your question, but – 1password has a built-in TOTP qr code reader (compatible with just inputting the secret code as well), i don’t have an authenticator app downloaded and just use 1password’s feature.