How to choose a password manager

Open-source vs proprietary

Open-source password managers (Bitwarden, KeePassXC, Proton Pass) let security researchers audit the code. When a vulnerability is found, you can verify it's been patched.

Proprietary managers (1Password, Dashlane) cannot be audited externally, but the major ones publish independent third-party audits and have strong security teams.

For most readers, either choice is defensible. Open-source is the safer default if you want to avoid trust dependencies; proprietary is fine if you trust the vendor's security record.

End-to-end encryption + zero-knowledge

Your master password should never leave your device. The vendor should be unable to decrypt your vault even if compelled by a court order.

This is called zero-knowledge architecture. Every reputable password manager has it. If a vendor talks about 'easy password recovery' or 'we can reset your master password,' run — that means they have access to your vault.

The trade-off: if you forget your master password, you lose your vault. Most managers offer recovery codes, biometric backup, or family-account recovery; understand which applies before relying on it.

Cross-device sync

You'll use this on phone, laptop, and possibly tablet. Sync needs to work seamlessly across all three.

Cloud-sync (Bitwarden cloud, 1Password cloud) is convenient. Self-hosted options (Bitwarden self-hosted, KeePassXC + Syncthing/Nextcloud) trade convenience for full data control.

Test sync during your trial: change a password on phone, confirm it appears on desktop within seconds. Lag here is annoying daily.

Browser integration quality

You'll use the password manager mostly through browser extensions. Integration quality varies hugely.

1Password and Bitwarden have polished extensions for Chrome, Firefox, Edge, Safari. KeePassXC requires a separate browser bridge that's less seamless.

Test: visit 5 sites you log into, watch for autofill behavior. Does it correctly identify the username field? The password field? Does it offer to save new passwords reliably?

Breach monitoring & dark web alerts

Modern managers integrate with Have I Been Pwned to warn you when one of your accounts appears in a known breach.

Bitwarden, 1Password, and Proton Pass all do this. The free tiers vary on whether this is included or paid.

This isn't a primary buying factor but it's a meaningful nice-to-have.

Emergency access / family sharing

What happens to your password vault if you're hospitalized or worse?

1Password and Bitwarden offer emergency access — you designate trusted contacts who can request access; you can approve immediately or after a delay.

Family plans let you share specific items (Wi-Fi password, streaming logins) without sharing your whole vault.

Set this up the day you start using the manager. The whole point of preparation is that you don't get to plan when emergencies happen.

The decision matrix for 2026

For most readers: Bitwarden Free or Bitwarden Premium ($10/year). Open-source, audited, complete feature set, generous free tier.

For polish and ecosystem: 1Password ($36/year individual). Best UX, smoothest integrations, slightly higher price.

If you already use Proton: Proton Pass (free with any Proton plan). Open-source, bundled with email and VPN.

For high-control users: KeePassXC + your own sync. Free, fully local, requires more setup.

Avoid: LastPass (multiple major breaches 2022-2023; trust damaged), browser-builtin storage as primary (not portable, not as secure).

Frequently asked questions

Is the free Bitwarden tier really enough?

Yes for most users. It includes unlimited passwords, unlimited devices, and basic 2FA storage. Premium ($10/year) adds advanced 2FA, file attachments, and breach monitoring.

Is 1Password worth the higher price?

If you find Bitwarden's interface frustrating and you'll actually use a tool with better UX more consistently, yes. Daily-use comfort matters more than pricing for tools you depend on.

What about LastPass?

LastPass had multiple serious breaches in 2022-2023, including encrypted vault data being exfiltrated. Even with the encryption, that's the wrong category of incident for a password manager. We don't recommend LastPass.

Should I use my browser's built-in password manager?

As a backup for low-stakes accounts, OK. As your primary, no. Browser managers tie you to one ecosystem (Chrome's manager doesn't work in Firefox), have weaker phishing detection, and lack the audit trail of a dedicated tool.

What about hardware password managers?

OnlyKey and similar hardware tokens are useful for the most security-conscious users, but the operational overhead is significant. For 99% of readers, a software password manager + a YubiKey for 2FA is a stronger and more practical setup.

Sources & further reading

We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.

• CISA — Cybersecurity & Infrastructure Security Agency ↗
• OWASP — Open Worldwide Application Security Project ↗
• NIST Cybersecurity Framework ↗
• Have I Been Pwned ↗

How we research: see our Source Policy and Review Methodology. If you spot an inaccuracy, please tell us — we publish corrections at the top of the affected article.

Related guides