Password Managers#

Reference of password manager and credential vault products, with the encryption model, storage architecture, and sharing features. Useful for both choosing a personal vault and auditing the corporate one. For privileged-credential vaults (secrets, keys), see DevOps & CI/CD (secrets) and Identity Providers (IdPs) (PAM).

Cloud-synced consumer / SMB#

Product

Vendor

Notes

1Password

AgileBits

AES-256-GCM + Secret Key (140-bit account-bound); SRP auth; passkey-vault since 2023; SCIM on Business; SOC 2.

Bitwarden

Bitwarden

Open-source server + clients; SRP + AES-256-CBC + PBKDF2-SHA-256 (or Argon2 since 2022); self-host option; free tier; cloud SaaS.

LastPass

LastPass

SRP + AES; 2022 breach (vault export taken; weak KDF on legacy users); reputation impacted.

Dashlane

Dashlane

Argon2id; passkey-vault.

Keeper

Keeper

Zero-knowledge; SOC 2.

NordPass

Nord Sec.

XChaCha20.

RoboForm

Siber Systems

Long-running.

Sticky Password

Lamantine

Owned by AVAST.

Enpass

Sinew Software

BYO storage (iCloud / Dropbox / WebDAV); local DB.

Norton Password Mana ger

Gen Digital

Bundled with Norton.

Avast Passwords

Avast

Sunset 2022.

True Key

Intel / McAfee

Sunset 2024.

Brave Password Manag er

Brave

Browser-built-in.

Apple Passwords

Apple

macOS / iOS / Windows; iCloud Keychain + passkeys; standalone app in 2024.

Google Password Mana ger

Google

Bundled with Chrome / Android.

Microsoft Authentic a tor

Microsoft

Bundled with Edge / Authenticator app; integrates Entra ID.

Samsung Pass

Samsung

Galaxy-only.

Self-hosted / open-source#

Product

Org

Notes

Bitwarden Self-Hosted

Bitwarden

Official Docker; the gold-standard self-host.

Vaultwarden

community

Rust reimpl of Bitwarden server (fka bitwarden_rs); single binary; great for personal self-host.

KeePass

Dominik Reichl

Open-source; .kdbx file; forks (KeePassXC, KeeWeb, KeePass2Android, MacPass).

KeePassXC

KeePassXC

Cross-platform KeePass fork; YubiKey HMAC challenge-response; SSH agent.

KeeWeb

KeeWeb

Web + Electron client.

Padloc

Padloc

Open-source SaaS / self-host.

Passbolt

Passbolt

Team-focused open-source; OpenPGP; LAMP.

Psono

Psono

Open-source enterprise; self-host.

Teampass

Teampass

Self-host PHP team vault.

SysPass

SysPass

Self-host PHP team vault.

Pass (zx2c4)

zx2c4

GPG-encrypted file tree; Git versioning; CLI; the Unix password manager.

Gopass

Gopass

Go-based pass-compatible.

LessPass

LessPass

Stateless; site+user+master → password (BIP-39 style).

Master Password

masterpassword

ap p Stateless deterministic.

Enterprise / corporate#

Product

Vendor

Notes

1Password Business

AgileBits

SCIM + audit + advanced policies + travel mode + passkey vault.

Bitwarden Enterprise

Bitwarden

Self-host or cloud; enterprise SSO; audit.

LastPass Business

LastPass

Enterprise tier.

Keeper Enterprise

Keeper

KeeperPAM bolt-on; secrets manager.

Dashlane Business

Dashlane

SSO + admin console.

Microsoft Entra ID Passwords

Microsoft

Bundled with Entra plans.

RoboForm Business

Siber

Enterprise tier.

NordPass Business

Nord Sec.

SSO + audit.

Privileged Access (PAM)#

See Identity Providers (IdPs) (“PAM / privileged access”) for CyberArk PAS, BeyondTrust, Delinea, Teleport, StrongDM, HashiCorp Vault, etc.

Encryption / KDF#

Tech

Notes

PBKDF2-SHA-256

Default in many vaults; iteration count matters; legacy (LastPass < 2018 had 5k iterations).

Argon2id

Memory-hard; the modern default; Bitwarden / KeePassXC default since 2022.

scrypt

Memory-hard; older choice; KeePass2.

AES-256-CBC + HMAC

Bitwarden + KeePass.

AES-256-GCM

1Password + others.

XChaCha20-Poly1305

NordPass.

SRP-6a

Augmented PAKE; 1Password / Bitwarden auth.

OPAQUE / PAKE

IETF aPAKE; emerging.

SQLCipher

Encrypted SQLite (e.g. KeePass2Android).

Hardware key wrap

Yubikey HMAC-SHA1 challenge-response (KeePassXC); Secure Enclave (1Password / Apple Passwords); TPM (Windows Hello).

Passkey storage

FIDO2 credentials stored in vault (1Password 8, Bitwarden, Apple Passwords, Google Password Manager).

Common attacks#

Attack

Notes / mitigation

Master-password phish

AiTM phishing of vault login; FIDO2-based MFA on vault account is the strongest mitigation.

Vault export theft

LastPass-2022 model: encrypted vault stolen; legacy weak KDF was exploitable. Iterate to Argon2id; rotate high-value secrets.

Browser-extension attack

Malicious extension in same browser can read vault DOM; use desktop app + autofill only via system shortcut.

Clipboard sniff

Auto-clear clipboard after 30s; prefer per-field paste.

Memory dump

Vault memory holds plaintext while unlocked; lock on screensaver.

Backup theft

Encrypted backup file -> offline brute-force; use long passphrase + Argon2.

Cloud breach

Provider-side breach (LastPass): assume vault metadata leaks (URLs, usernames). Rotate sensitive site passwords.

Rubber-hose / coercio n

Travel mode (1Password) hides vaults; duress passwords (KeePass).

Operator notes#

  • Standardize on one vault, per-team vault sprawl is the leading cause of leaked-secrets-in-Slack incidents.

  • Use FIDO2 / passkey + master passphrase on the vault itself; SMS / TOTP-only is no longer sufficient.

  • Rotate the master passphrase when a high-trust endpoint is replaced; never reuse the master across services.

  • Iteration counts, check legacy entries; 600k PBKDF2 / Argon2id is the floor (OWASP 2023).

  • Vault metadata leaks more than people realize, URLs, notes, attachment file names. Treat URL lists as PII.

  • Self-hosted vaults: backups + offsite + threat-model the host (Vaultwarden on a single VPS = single point of total compromise).

  • Family sharing vs team sharing, different audit profiles; team sharing should require admin approval.

  • Audit + logging: 1Password / Bitwarden Business have full event logs; ship to SIEM.

  • Passkey storage: vault-stored passkeys cross-sync but also re-introduce vault-compromise risk to once-distinct per-device credentials.

References#