Password Managers

Mike's Notes

I have used Avast password manager; it was reliable, but it's useless now.

What is the best password manager? I found this discussion on Reddit with a comparison table. NordPass got the highest ranking. Some of the debate is copied below.

Resources

• https://www.reddit.com/r/Passwords/comments/17f73pa/i_made_a_comparison_table_to_find_the_best/
• https://docs.google.com/spreadsheets/d/1b2zEEU8_YPsgo3nY1BJ72qgLXteP7Yt0_mnlYJ8m0RI/edit#gid=0
• https://nordpass.com/plans/business/
• https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

References

• Reference

Repository

• Home > Ajabbi Research > Library >
• Home > Handbook > 

Last Updated

23/05/2025

I made a Comparison Table to find the Best Password Manager

By: barnabebro

Reddit: 28/08/2024

Hey everyone! Recently I started thinking about purchasing a password manager for my family and myself. With all the cyber threats going around recently (did you know that a random, eight-character password can be hacked within eight hours?), I am starting to lose all trust in saving my password anywhere else.

After a brief research, I don’t know why, but I was very surprised about how many different options we have here. And boy, it is hard to choose the one you like from the first sight. Also to know which product is legitimate and which is just the work of an excellent marketing team.

So I took some time over the past few days and did an in-depth research myself (my inner nerd was very happy about it). And thought that I would share it with you as well.

The top criteria I was looking for:

Privacy features: I looked mainly into 4 different areas (MFA, Biometrics, Data Breach alert, and Encryption) as it was most important for me, and made a separate table for them as well evaluating it by numbers.

Credit card safety: Another feature I was looking for was saving a credit card. As I shop online quite often, I wanted to have my credit card details on hand and autofill them instantly and still feel safe about it.

Password health check: I think it is a great feature to see if my passwords are easy to hack as sometimes I am not as creative as I think I am with my passwords. I guess the password generator feature will be helpful in this area too.

Here is the Comparison Table.

As it was done for my own research, let me know if there are other brands that you think I should include. Also feel free to suggest any other criteria for the table. Let’s make this as helpful as it can be for everyone like me who has no idea how to choose the best password manager out here.

***

Table updated on 2024-08-28. Edits made: prices and features of some of the providers updated, new provider added.

Discussion

fdbryant3 - 2 years ago

This turned out to be a lot longer than I thought it would be when I started. So I want to preface this by saying kudos to you for making this and it is certainly a lot more than I have ever done (and probably better done than I would have). Please take all of the following as constructive criticism and feel free to implement or ignore as you see fit.

A criterion I would add to the privacy score is whether or not the password manager is open-source or closed-source, with points being given for being open-source (personally I consider this a top criterion for security apps). More points should be given if the password manager is regularly audited by independent 3rd parties.

Another criterion I would consider is if the password manager is the only product made by a developer or part of a suite of products they offer (whether or not related to password management and security). The reason is if the password manager is part of a suite then its development must be balanced against the resources and priorities of the other products.

Personally, I wouldn't factor in Data Breach Alerts as those are easily available elsewhere and more of a convenience than a password manager function (to be fair I'm a little salty as it is dragging down my preferred password manager Bitwarden who is apparently the only one not to offer it). I would reclassify it, along with VPN, file storage, and other not-really password management features (such as Bitwarden's Send feature or ability to generate TOTP authentication codes) as miscellaneous or bonus features and then I guess quantify how useful you think they are (which is of course totally subjective) or don't quantify them at all and just let people know they are there.

Something else to look for is if the password manager has backup/export functions. Can backups be generated encrypted and unencrypted? Can it import/export to/from other password managers?

Can you access the password from a web browser (not using an extension)?

Does the password manager have a password generator? If so can it also generate passphrases? Can it generate logins and integrate with services like addy.io to anonymize your email address?

I would also note which password managers support the superior Argon2 key derivative function (KDF) as an alternative to PBKDF2 and give weight to that. Ideally, Argon2 should now be the default KDF when setting up a new account. I would rank this in your privacy score (more on this in a bit).

Password sharing and passkeys are not the same thing. For instance, Bitwarden does support password sharing but currently does not support passkeys (passkeys should hopefully be supported within the next month). I would separate them into two different criteria. Right now I wouldn't weigh passkeys too highly as it is very new, and not widely supported across the Internet yet (and will probably be a bit before they are if widely supported at all). Mostly I would want to know if the password manager plans to support them if they don't already.

I would note which browsers they have extensions for - specifically Chrome, Firefox, Edge, and Safari. Since almost every other browser uses one of those engines (most of them being Chromium) it can probably be assumed they will be supported whether listed or not.

I'm a little confused by what you mean by "service is using more than 2 authentication factors". Do you mean it supports using more than 2 steps during login or has multiple types of 2FA methods? For instance, you gave Bitwarden a 3 even though it supports FIDO2 Webauthn, TOTP (authenticator apps), email, as well as security keys and DUO Security through its premium tier. Meanwhile, you give NordPass a 5 even though it only offers security keys, TOTP, and recovery codes (which technically Bitwarden does as well if you consider that 2FA method). Bitwarden also supports passwordless login with a device (ie a passkey for Bitwarden) which by default is 2FA (although not two-step) login whereas NordPass currently does not (they are working on it).

...

I do not understand your encryption scores. You gave Bitwarden a 5 for listing AES-256+salting+PBKDF2-SHA256, ZoHo Vault a 3 for AES-256, Keeper a 5 even though you only list AES-256, and LastPass a 4 even though it is also listed with AES-256+PBKDF2-SHA256 salting. To be honest you don't really need to mention salting because I would be surprised if any were not doing it whether they mention it in the marketing or not (you'd have to read through the white papers to figure out if they are or not, but I'd just assume they are) and salting is part of the KDF functions. I would revamp this score to consider the following

• Encryption Protocol: This is really just informational as long as they are using a recognized standard modern encryption protocol and not something either outdated or rolling their own
• KDF Function options: PBKDF2, Argon2 (with Argon2ID being ranked higher)
• Default KDF Function: More points for having Argon2 as the default upon account creation
• Default number of iterations for PBKDF2: a minimum of 600,000, anything less should be ranked lower
• Default settings for Argon2ID (you actually probably don't need to worry about this: minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism.

So for Bitwarden, I might give a score of 8

• 1 point for AES-256
• 1 point for PBKDF2
• 1 point for PBKDF2 default 600,000 iterations (the minimum recommendation)
• 2 points for Argon2ID (as opposed to 1 point if it was just Argon2, Argon2i, or Argon2d)
• 2 points for Argon2ID defaults exceeding OWASP minimum recommendations (1 for meeting, one for exceeding)
• 1 points for PBKDF2 being the default KDF on account creation (I would have given 2 points if Argon2ID was the default)

Whereas LastPass I would give a score of 4

• 1 point for AES-256
• 1 point for PBKDF2
• 1 point for PBKDF2 default 600,000 iterations (the minimum recommendation)
• 0 points for Argon2 (currently not supported but being worked on)
• 1 point for PBKDF2 being the default KDF

Personally, I would remove LastPass from the list due to the security breach last year which resulted in password vaults being stolen (and to my knowledge, they are the only password manager to suffer such a breach). On top of that, some of those vaults have been cracked because they did not update security settings such as the PBKDF2 iteration counts on those vaults. While all that is bad what really makes them dead to me is the way they have communicated information about the breach (it basically dripped out over months) was and remains unsatisfactory (to my knowledge they never notified specific users whose vaults might have been stolen). That said they probably have fixed everything that contributed to this breach (but they are a close source password manager so how do we know) so if you want to include them that is up to you but they need an asterisk or score dropped to zero or something.

On the topic of security breaches, you might want to try to research (I would do a 1st-page search engine search and check the Wikipedia page for anything in the last 3 years) and score like this:

• 4 - no reported security breaches found on the 1st page of a search engine search or noted in Wikipedia within the last 3 years (or whatever time frame you think relevant)
• 3 - reported security incidents that did not result in access or stolen user data
• 2 - reported security breaches where user data was accessed or stolen but not password vaults.
• 1 - reported security breaches where the password vault is stolen
• 0 - reported security breach where the vault was stolen and reportedly cracked

Password managers have different options at different tiers. For instance, Bitwarden has unlimited entries on its free tier, whereas Dashlane recently limited the number of entries on the free tier to 25 (I think, I know it was limited and do not feel like looking it up). Another example is Bitwarden allows you to access your password vault from any device on the free tier whereas LastPass only allows you to access it from mobile devices or computers on the free tier. If you don't want to break it down to that level of detail I would put a note that you are comparing across the top premium tiers.

As someone else noted you should add ProtonPass. I would also consider KeePass although you would also have to note whether or not a password manager is cloud-based or natively offline. If you want to include it for kicks and giggles you might compare password managers to a spreadsheet/piece of paper.

RedFin3 - 2 years ago

Although it is interesting to see all these features listed on a table, I think that your approach is very much mis-guided and frankly wrong. A password manager is not just yet another piece of software you download. It is a critical part of your life, and security and integrity are not only paramount but they easily tramp bells and whistles that a password manager may offer. It is not different to selecting a bank. Would you select a well-known bank or will you go for a bank that few people know much about but may offers a few more features.

The "winner" in your list is Nordpass, the VPN seller known as Nord VPN. Although I cannot fault them much, VPN companies in general are notoriously dodgy. I would never trust a VPN company as my password manager. Some exceptions to this would be Proton, which has a well established reputation, and even Mollvad if they had a password manager.

As far as I am concerned, the main serious contenders are 1Password (the one I use), Bitwarden, Keepass, and Proton. Lastpass my previous password manager has already shown that they are incompetent and liars (as they never disclosed that some data was not encrypted).

I would generally avoid any password manager that does not have its executive team on its website.

EDIT: I replaced Bitlocker with Bitwarden