~/tools/passwords

Password Managers

last updated 2026-06-17 · 4 recommendations · what changed

If you do exactly one thing from this entire site, do this. A password manager gives every account a strong, unique password you never have to remember, which means one leaked site can't unlock the rest of your life.

before you pick Any manager on this page beats reusing passwords, including the one built into your browser. Don't agonize over the choice; the win is using one at all. Pick, set a long memorable master passphrase, and turn on 2FA for the vault itself.

what actually matters

audits & track record

You're trusting this thing with everything. Open code is one route to that trust; relentless third-party audits and a clean history are another. Insist on at least one.

zero-knowledge encryption

The vault must be encrypted with your master password before it leaves your device. The provider should never be able to read it.

company trajectory

A vault is a decade-long relationship. Leadership changes, quiet edits to public commitments, and private-equity fingerprints matter as much as the cryptography.

export & escape

You should be able to export your vault to a standard format anytime. Lock-in on a password manager is lock-in on everything.

recommendations

1Password

the default pick
🇨🇦 canadaclosed sourceheavily auditedsecret key~$48/yr billed annually

Best-in-class UX (polished, intentional, smoother than anything else in the category) on top of a hardened, thoroughly audited architecture. The "Secret Key" design means a stolen master password alone can't decrypt your vault. The trade-off is real: closed source and subscription-only is an ideological compromise, but an acceptable one given the company's track record, and given what's been happening at the alternative below.

good
  • Genuinely best-in-class apps, autofill, and onboarding
  • Secret Key adds real protection against server-side breaches
  • Regular public audit reports and a strong security team
  • Travel Mode hides chosen vaults at border crossings
mind the
  • Closed source: trust is reputational + architectural, not fully auditable
  • Prices rose in March 2026: about +33% Individual, +20% Families
  • No free tier, subscription only
  • No self-hosting option
from ~$48/yr billed annually · families ~$72/yr billed annually 1password.com →

Bitwarden

the open-source pick, watch it
🇺🇸 usaopen sourceaudited yearlyself-hostablefree · ~$19.80/yr

Still technically excellent: open source, audited yearly, a genuinely usable free tier, and self-hostable via Vaultwarden. The hesitation is company-level, not technical. The longtime CEO quietly moved to an advisory role with no announcement, replaced by an executive whose background centers on M&A at private-equity firms; the CFO changed just as quietly; "Inclusion" and "Transparency" disappeared from the company's stated values in favor of "Innovation" and "Trust", with old blog posts edited retroactively; and the "always free" language vanished, then reappeared after pushback. That pattern reads like pre-acquisition groundwork: the same trajectory that once drove people away from LastPass. Founder Kyle Spearrin has pushed back publicly, calling the leadership changes unrelated to each other and the free-tier wording change a marketing mix-up.

good
  • Fully open source with annual third-party audits
  • Usable free tier: unlimited entries and devices
  • Self-hosting via Vaultwarden decouples you from the company entirely
  • May yet recover credibility: the code hasn't changed, the boardroom has
mind the
  • Unannounced leadership changes and quietly edited public commitments
  • New executive profile suggests an exit is being prepared
  • Premium price roughly doubled (to ~$19.80/yr), its first price change in about a decade
  • If an acquisition lands, re-evaluate immediately: export early, not late
free · premium ~$19.80/yr bitwarden.com →

KeePassXC

the local-only pick
offlineopen sourceno accountkdbx formatfree

No cloud, no account, no company: your vault is a single encrypted file on your own disk. Nothing leaves your machine unless you move it. Even if you run 1Password or Bitwarden day to day, keep a periodic KeePassXC export as a local encrypted backup: it decouples your credentials from any single vendor's future, which is precisely the risk the entries above are wrestling with.

good
  • Zero trust in any third party: the file never leaves you
  • Open standard (KDBX) readable by many apps, including KeePassDX on Android
  • Built-in TOTP, passkey support, browser integration
  • No business model to rot, no boardroom to watch
mind the
  • You own sync, backups, and recovery: lose the file and master password, lose everything
  • No official mobile app (third-party KeePass apps fill in)
  • Less convenient for sharing credentials with family
free, donation-funded keepassxc.org →

Proton Pass

the ecosystem pick
🇨🇭 switzerlandopen-source clientse2eebuilt-in aliasingfree tier · ~€2/mo

Part of the Proton suite, with open-source clients and end-to-end encryption across the board. The standout feature is built-in hidden-by-alias email aliasing: every login can get a unique forwarding address generated right next to its password, no separate alias service required. If you're already on Proton Mail, Drive, or VPN, Pass slots into the same account and billing with zero extra setup.

good
  • Open-source apps across every platform
  • Built-in email aliasing (hidden-by-alias) on top of password storage
  • Integrates cleanly with the rest of the Proton ecosystem
  • Usable free tier; cheap as an add-on to an existing Proton plan
mind the
  • Younger product than 1Password or Bitwarden, smaller third-party audit history so far
  • Most natural fit if you're already in the Proton ecosystem; less of a draw standalone
  • No self-hosting option
free tier · paid from ~€2/mo proton.me/pass →

at a glance

manageropen sourcesyncauditedself-hostfree tierfrom
1Passwordnobuilt-inregularlynotrial~$3/mo
Bitwardenyesbuilt-inyearlyyesyes$10/yr
KeePassXCyesdiyyesn/a (local)freefree
Proton Passyesbuilt-ingrowingnoyes~€2/mo

prices are ballpark annual rates; check the provider before you commit.

worth knowing

The master passphrase is the whole game. Make it long and memorable: four or five random words beats P@ssw0rd2026! by miles. Write it down and store the paper somewhere physically safe until it sticks.

Protect the vault with 2FA. A hardware key or TOTP app on the manager itself means a phished master password still isn't enough. See 2FA & Hardware Keys.

Keep a vendor-proof backup. Export your vault to an encrypted KeePassXC database every few months and store it locally. Companies get acquired, policies change, accounts get locked; a local copy turns all of those from emergencies into inconveniences.

Save the recovery kit. Most managers generate recovery codes or an emergency sheet at signup. Print it. The most common way people lose a vault isn't hackers, it's locking themselves out.

NordPass and Dashlane are worth knowing, not what this page steers you toward. Both are mainstream, polished, commercial password managers, fine reference points if you're comparing options, and not a bad place to land if you're already invested in the NordVPN or Dashlane ecosystem. But both are closed source and lean more on marketing than the picks above, so they don't make this page's recommendations.