Password manager

TL;DR. Use Bitwarden. Free for individuals, open-source server code you can inspect or self-host, audited annually, works on every platform. Family plan is $3.33/month for six people — cheapest polished option in the category. The paid tier unlocks TOTP storage, emergency access, and Bitwarden Send. We earn a commission when you sign up via our Bitwarden links — doesn’t change which tool we’d pick. See /en/legal/affiliate for the full list.

What this category protects

Your entire login surface. A password manager generates a unique random password per site, stores them encrypted under one master password (plus a second factor), and auto-fills only on the matching origin. That last part is the non-obvious win — a manager that only fills on github.com kills phishing-by-lookalike-domain because it refuses to fill on github-auth.co. The user doesn’t need to spot the typo; the manager does.

It also fixes reuse, which is still how most credential-stuffing breaches land. The 2024 Ticketmaster-Snowflake story, the Sisense compromise, most Okta downstream drama — all cascade because someone reused a password from a personal account on a work system. A manager makes reuse inconvenient enough that you stop doing it. It also shrinks the third-party cookies and storage footprint of “sign in with Google” flows, because you no longer need those SSO buttons to avoid typing a long password.

This just works: Bitwarden

Open-source server code (AGPL) you can inspect or self-host with Vaultwarden, the community-maintained compatible server. End-to-end encrypted with zero-knowledge architecture — the server stores ciphertext it cannot decrypt. Apps on iOS, Android, every desktop OS via Electron or native rbw/bitwarden-cli, and every major browser. Autofill works on web, in native Android forms via accessibility service, and in iOS via the system autofill API. Passkey support across the whole stack since 2024.

Free tier covers unlimited passwords on unlimited devices with sync. Premium ($10/yr) adds TOTP, Bitwarden Send, emergency access, 1 GB of encrypted attachments. Families is $3.33/mo for six — best deal in the category. What you give up: utilitarian UI next to 1Password’s, iOS autofill needs a one-time settings trip, and self-hosting Vaultwarden is a real server setup.

Alternatives

• 1Password — slickest UI in the category. $2.99/month individual, $4.99/month family. Watchtower catches breached credentials nicely. Travel Mode hides vaults at border crossings. Not open-source, which is a dealbreaker for some; audits by Cure53 are public.
• Proton Pass — free tier with unlimited passwords and built-in SimpleLogin alias support. Good if you already pay for Proton; the alias-per-signup flow is the best in the category. Thinner feature set (no attachments, no emergency access yet), but the crypto and jurisdiction are solid.
• KeePassXC — offline-first, fully FOSS, no cloud at all. You sync the encrypted .kdbx file via Syncthing, iCloud Drive, or whatever you like. Best fit for advanced users who refuse any cloud vault. Browser integration is a separate install (keepassxc-browser).

Comparison matrix

Manager	E2EE	FOSS	Audit	Self-host	Platforms	Price
Bitwarden	Yes	Server + clients	Cure53 annual	Yes (Vaultwarden)	Every	Free / $10yr / $40yr family
1Password	Yes	No	Cure53	No	Every	$36yr / $60yr family
Proton Pass	Yes	Clients FOSS	Securitum	Not yet	Every (mobile apps newer)	Free / Proton Unlimited
KeePassXC	Yes	Yes	Informal audits	DIY (you own the file)	Desktop-first; mobile via Keepass2Android/Strongbox	Free

Common mistakes

• Reusing the master password somewhere. It must be unique. Four-word diceware + a character twist is plenty of entropy. Write it down and put it in a sealed envelope in a safe if you have to.
• Skipping 2FA on the manager itself. TOTP or a YubiKey on the account is non-negotiable — if someone phishes your master password and there’s no second factor, you’ve lost everything at once.
• TOTP seeds in the same vault as the passwords. Convenient, risky — one breach, both factors gone. Keep TOTP in Aegis or Ente Auth unless your threat model prefers consolidation.
• Trusting browser-built-in managers for anything that matters. Chrome and Safari sync through the browser vendor’s account with variable encryption guarantees, and they don’t help when you leave the ecosystem.
• No emergency-access designee. If you’re hit by a bus, your executor can’t rotate accounts. Bitwarden and 1Password both support this; set it once.
• Leaving a plaintext CSV on disk after bulk import. Shred it (not rm).

Setup

Bitwarden migration guide walks through import from LastPass / 1Password / browser, plus the first-week hygiene pass. Proton Pass setup guide if you’re going the Proton route. Passkeys primer explains where passkeys replace passwords outright.

Related categories

• Two-factor auth — TOTP codes belong in a dedicated 2FA app; hardware keys guard the manager account itself.
• Email — the email used as your manager’s account is the reset path for everything. Lock it down.
• Disk encryption — a stolen laptop with a logged-in vault is worse than a breach.