Password Managers#
Reference of password manager and credential vault products, with the encryption model, storage architecture, and sharing features. Useful for both choosing a personal vault and auditing the corporate one. For privileged-credential vaults (secrets, keys), see DevOps & CI/CD (secrets) and Identity Providers (IdPs) (PAM).
Cloud-synced consumer / SMB#
Product |
Vendor |
Notes |
|---|---|---|
1Password |
AgileBits |
AES-256-GCM + Secret Key (140-bit account-bound); SRP auth; passkey-vault since 2023; SCIM on Business; SOC 2. |
Bitwarden |
Bitwarden |
Open-source server + clients; SRP + AES-256-CBC + PBKDF2-SHA-256 (or Argon2 since 2022); self-host option; free tier; cloud SaaS. |
LastPass |
LastPass |
SRP + AES; 2022 breach (vault export taken; weak KDF on legacy users); reputation impacted. |
Dashlane |
Dashlane |
Argon2id; passkey-vault. |
Keeper |
Keeper |
Zero-knowledge; SOC 2. |
NordPass |
Nord Sec. |
XChaCha20. |
RoboForm |
Siber Systems |
Long-running. |
Sticky Password |
Lamantine |
Owned by AVAST. |
Enpass |
Sinew Software |
BYO storage (iCloud / Dropbox / WebDAV); local DB. |
Norton Password Mana ger |
Gen Digital |
Bundled with Norton. |
Avast Passwords |
Avast |
Sunset 2022. |
True Key |
Intel / McAfee |
Sunset 2024. |
Brave Password Manag er |
Brave |
Browser-built-in. |
Apple Passwords |
Apple |
macOS / iOS / Windows; iCloud Keychain + passkeys; standalone app in 2024. |
Google Password Mana ger |
Bundled with Chrome / Android. |
|
Microsoft Authentic a tor |
Microsoft |
Bundled with Edge / Authenticator app; integrates Entra ID. |
Samsung Pass |
Samsung |
Galaxy-only. |
Self-hosted / open-source#
Product |
Org |
Notes |
|---|---|---|
Bitwarden Self-Hosted |
Bitwarden |
Official Docker; the gold-standard self-host. |
Vaultwarden |
community |
Rust reimpl of Bitwarden server (fka bitwarden_rs); single binary; great for personal self-host. |
KeePass |
Dominik Reichl |
Open-source; .kdbx file; forks (KeePassXC, KeeWeb, KeePass2Android, MacPass). |
KeePassXC |
KeePassXC |
Cross-platform KeePass fork; YubiKey HMAC challenge-response; SSH agent. |
KeeWeb |
KeeWeb |
Web + Electron client. |
Padloc |
Padloc |
Open-source SaaS / self-host. |
Passbolt |
Passbolt |
Team-focused open-source; OpenPGP; LAMP. |
Psono |
Psono |
Open-source enterprise; self-host. |
Teampass |
Teampass |
Self-host PHP team vault. |
SysPass |
SysPass |
Self-host PHP team vault. |
Pass (zx2c4) |
zx2c4 |
GPG-encrypted file tree; Git versioning; CLI; the Unix password manager. |
Gopass |
Gopass |
Go-based pass-compatible. |
LessPass |
LessPass |
Stateless; site+user+master → password (BIP-39 style). |
Master Password |
masterpassword |
ap p Stateless deterministic. |
Enterprise / corporate#
Product |
Vendor |
Notes |
|---|---|---|
1Password Business |
AgileBits |
SCIM + audit + advanced policies + travel mode + passkey vault. |
Bitwarden Enterprise |
Bitwarden |
Self-host or cloud; enterprise SSO; audit. |
LastPass Business |
LastPass |
Enterprise tier. |
Keeper Enterprise |
Keeper |
KeeperPAM bolt-on; secrets manager. |
Dashlane Business |
Dashlane |
SSO + admin console. |
Microsoft Entra ID Passwords |
Microsoft |
Bundled with Entra plans. |
RoboForm Business |
Siber |
Enterprise tier. |
NordPass Business |
Nord Sec. |
SSO + audit. |
Privileged Access (PAM)#
See Identity Providers (IdPs) (“PAM / privileged access”) for CyberArk PAS, BeyondTrust, Delinea, Teleport, StrongDM, HashiCorp Vault, etc.
Encryption / KDF#
Tech |
Notes |
|---|---|
PBKDF2-SHA-256 |
Default in many vaults; iteration count matters; legacy (LastPass < 2018 had 5k iterations). |
Argon2id |
Memory-hard; the modern default; Bitwarden / KeePassXC default since 2022. |
scrypt |
Memory-hard; older choice; KeePass2. |
AES-256-CBC + HMAC |
Bitwarden + KeePass. |
AES-256-GCM |
1Password + others. |
XChaCha20-Poly1305 |
NordPass. |
SRP-6a |
Augmented PAKE; 1Password / Bitwarden auth. |
OPAQUE / PAKE |
IETF aPAKE; emerging. |
SQLCipher |
Encrypted SQLite (e.g. KeePass2Android). |
Hardware key wrap |
Yubikey HMAC-SHA1 challenge-response (KeePassXC); Secure Enclave (1Password / Apple Passwords); TPM (Windows Hello). |
Passkey storage |
FIDO2 credentials stored in vault (1Password 8, Bitwarden, Apple Passwords, Google Password Manager). |
Common attacks#
Attack |
Notes / mitigation |
|---|---|
Master-password phish |
AiTM phishing of vault login; FIDO2-based MFA on vault account is the strongest mitigation. |
Vault export theft |
LastPass-2022 model: encrypted vault stolen; legacy weak KDF was exploitable. Iterate to Argon2id; rotate high-value secrets. |
Browser-extension attack |
Malicious extension in same browser can read vault DOM; use desktop app + autofill only via system shortcut. |
Clipboard sniff |
Auto-clear clipboard after 30s; prefer per-field paste. |
Memory dump |
Vault memory holds plaintext while unlocked; lock on screensaver. |
Backup theft |
Encrypted backup file -> offline brute-force; use long passphrase + Argon2. |
Cloud breach |
Provider-side breach (LastPass): assume vault metadata leaks (URLs, usernames). Rotate sensitive site passwords. |
Rubber-hose / coercio n |
Travel mode (1Password) hides vaults; duress passwords (KeePass). |
Operator notes#
Standardize on one vault, per-team vault sprawl is the leading cause of leaked-secrets-in-Slack incidents.
Use FIDO2 / passkey + master passphrase on the vault itself; SMS / TOTP-only is no longer sufficient.
Rotate the master passphrase when a high-trust endpoint is replaced; never reuse the master across services.
Iteration counts, check legacy entries; 600k PBKDF2 / Argon2id is the floor (OWASP 2023).
Vault metadata leaks more than people realize, URLs, notes, attachment file names. Treat URL lists as PII.
Self-hosted vaults: backups + offsite + threat-model the host (Vaultwarden on a single VPS = single point of total compromise).
Family sharing vs team sharing, different audit profiles; team sharing should require admin approval.
Audit + logging: 1Password / Bitwarden Business have full event logs; ship to SIEM.
Passkey storage: vault-stored passkeys cross-sync but also re-introduce vault-compromise risk to once-distinct per-device credentials.