Tools

The password managers and supporting tools we test and reference — with an honest take on each. We compare on security architecture, not marketing. Free tiers noted where relevant.

Interactive tool

Password Manager Matcher by Threat Model →

A questionnaire (threat tier, self-host vs cloud, platforms, family, passkeys, open-source, budget, recovery) that ranks 12 managers with a transparent reason chip for every match and violation, plus hardening tips for your top pick.

Password Managers We Test

Bitwarden

open-source (GPL/AGPL core) Free tier; paid ~$10/yr

Open-source, audited, zero-knowledge manager with cross-platform clients and an optional self-hosted/Vaultwarden path.

Our take

Our default recommendation for most people: open source, independently audited, generous free tier. We still judge it on KDF settings (raise Argon2 from the legacy defaults) rather than reputation.

KeePassXC

open-source (GPL) Free

Local-only, open-source vault using the KDBX format with Argon2. No vendor cloud — you own the file.

Our take

The pick when you want zero third-party trust. The trade-off is real: sync and backup become your job, which we treat as a usability cost, not a security flaw.

1Password

proprietary Paid (~$36/yr individual)

Polished proprietary manager with a Secret Key layered on top of the master password and regular third-party audits.

Our take

Strong architecture and the smoothest UX we test. Closed source is the honest caveat; the Secret Key meaningfully raises the brute-force bar in exchange.

Proton Pass

open-source clients Free tier; paid bundles

Zero-knowledge manager with built-in email aliasing, from the Proton ecosystem.

Our take

Credible newer entrant; integrated aliasing is a genuine privacy plus. We weigh it on audit history and maturity, which trail the longer-established options.

Self-Hosting & Sync

Vaultwarden

open-source (AGPL) Free

A lightweight Bitwarden-compatible server you run yourself, keeping encrypted vault data off third-party infrastructure.

Our take

Excellent for keeping sync in-house with Bitwarden clients. Self-hosting moves backup and uptime onto you — fine if you'll actually maintain it.

Verification & Hygiene

Have I Been Pwned

free service Free

Checks emails and passwords against known breach corpora using a privacy-preserving k-anonymity API.

Our take

The reference breach source many managers' monitoring is built on. Useful, but it's a backstop — unique generated passwords are the actual fix.

FIDO2 security key (e.g., YubiKey)

hardware ~$25–$60

A hardware token for phishing-resistant 2FA on the password manager account itself.

Our take

The strongest practical protection for the vault's sync account. We score managers up for supporting FIDO2 on the account, not just storing TOTP for other sites.