Best Password Managers in 2026
Side-by-side comparison of the top password managers — encryption architecture, audit history, pricing, breach history, and which one to actually use.
A maintained reference. Updated when providers change pricing, release audit results, or something significant happens to their security architecture. For setup instructions, see How to Set Up Bitwarden.
Quick Pick
Not sure where to start? Three scenarios:
For most people → Bitwarden
Open source, independently audited, AES-256 with Argon2id support, FIDO2/WebAuthn free on all plans. The January 2026 price increase took it from $9.99/year to $19.80/year — still the best value on this list by a wide margin. Free tier is genuinely unlimited (passwords, devices, sync).
Best polished experience → 1Password
Closed source but heavily audited. Travel Mode is a unique feature with real use cases — removes selected vaults from your devices at a toggle, useful at border crossings. No free tier. March 2026 price increase brought it to $47.88/year individual. Passkey support via FIDO Alliance's Credential Exchange Protocol (CXP) launches in 2026.
Best for families with no technical overhead → NordPass
Cheapest family plan on this list at $2.58/month for up to 6 users. XChaCha20 encryption — uncommon choice, stronger on mobile than AES. Third-party audit by Cure53, SOC 2 Type 2 certified. From the same company as NordVPN (Nord Security), which is worth knowing.
Enterprise/government compliance → Keeper
The only password manager with FedRAMP authorization. If you're in a regulated industry or government context, this is the one — not because the technology is superior, but because the certifications are there. Individual pricing is $34.99/year.
Quick Comparison
| Provider | Free Tier | Individual/yr | Family/mo | Open Source | E2E Encrypted | Zero Knowledge | Platforms |
|---|---|---|---|---|---|---|---|
| Bitwarden | ✅ Unlimited passwords + devices | $19.80/yr | $3.99/mo (6 users) | ✅ | ✅ | ✅ | Win / Mac / Linux / iOS / Android / Web |
| 1Password | ❌ | $47.88/yr | $5.99/mo (5 users) | ❌ | ✅ | ✅ | Win / Mac / Linux / iOS / Android / Web |
| Dashlane | ❌ (discontinued 2025) | $59.99/yr | N/A (business plans only) | ❌ | ✅ | ✅ | Browser extension + mobile only |
| Keeper | ❌ (limited trial only) | $34.99/yr | $6.25/mo (5 users) | ❌ | ✅ | ✅ | Win / Mac / Linux / iOS / Android / Web |
| NordPass | ✅ (1 device only) | ~$1.38/mo | $2.58/mo (6 users) | ❌ | ✅ | ✅ | Win / Mac / Linux / iOS / Android / Web |
Prices current as of March 2026. NordPass promotional rate — verify at checkout.
Security Architecture
The columns that determine what an attacker (or law enforcement with a subpoena) would get if the provider's servers were compromised. Zero-knowledge means the provider's servers store only encrypted data — they cannot read your vault. A subpoena returns an encrypted blob, not your passwords.
| Provider | Encryption Algorithm | KDF | Client-side Encryption | Latest Audit | Breach History |
|---|---|---|---|---|---|
| Bitwarden | AES-256-CBC | PBKDF2 (600k iterations, default) or Argon2id (user choice) | ✅ | ETH Zurich cryptography review, Feb 2026; annual third-party pentests | No vault breach on record. 2023 autofill iframe vulnerability — patched. |
| 1Password | AES-256-GCM | PBKDF2 + 128-bit Secret Key (two-factor key derivation) | ✅ | Cure53 pentest 2025; 24+ published audits; SOC 2 Type 2; ISO 27001 | No breach on record. |
| Dashlane | AES-256 | Argon2d | ✅ | ISO 27001:2022; no independent no-logs style audit | No vault breach. ETH Zurich Feb 2026 research found compromise-scenario vulnerabilities — patched November 2025. |
| Keeper | AES-256 | PBKDF2 | ✅ | SOC 2, ISO 27001, FedRAMP; no public Cure53-style pentest | No breach on record. |
| NordPass | XChaCha20 | Argon2 | ✅ | Cure53, 2020; SOC 2 Type 2 (Dec 2023); ISO/IEC 27001 (2024) | No breach on record. |
Note on the ETH Zurich research (February 2026): Researchers from ETH Zurich's Applied Cryptography Group demonstrated attacks on Bitwarden, LastPass, and Dashlane under the assumption the provider's server had been compromised and was behaving maliciously. Bitwarden responded that it has never been breached. Dashlane patched legacy cryptography in November 2025. The research is meaningful context for threat models involving state-level adversaries — not for typical users.
1Password's Secret Key: The two-secret-key model (master password + 128-bit Secret Key stored only on your devices) means that even a server-side breach can't be decrypted without the device-side key. The tradeoff: if you lose both your master password and your Emergency Kit, there is no recovery path.
Features
| Provider | TOTP 2FA | Hardware Key (FIDO2/YubiKey) | Passkeys | Emergency Access | Password Health | Breach Alerts | Self-host Option |
|---|---|---|---|---|---|---|---|
| Bitwarden | ✅ (all plans) | ✅ (all plans, up to 5 keys free / 10 paid) | ✅ Store + use | ✅ Premium — contact-based with configurable wait period | ✅ Premium | ✅ Premium | ✅ (Vaultwarden) |
| 1Password | ✅ | ✅ | ✅ Full CXP support (2026) | ⚠️ Emergency Kit only — PDF with account details, not contact-based | ✅ Watchtower | ✅ Watchtower | ❌ |
| Dashlane | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ Dark web monitoring | ❌ |
| Keeper | ✅ | ✅ | ✅ | ✅ (BreachWatch add-on required for breach alerts) | ✅ | ✅ (paid add-on) | ❌ |
| NordPass | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ❌ |
On emergency access: Bitwarden's contact-based emergency access (Premium feature) is the most operationally useful. You designate a trusted contact; they request access; you have a configurable wait period to reject it; if you don't respond, they get in. It's built for the scenario where you're actually incapacitated. 1Password's Emergency Kit is a printed document — useful for estate planning, not for a medical emergency.
Business and Sharing
| Provider | Family Plan | Family Users | Teams Pricing | Sharing | SSO Support |
|---|---|---|---|---|---|
| Bitwarden | $3.99/mo | 6 users | $4/user/mo (Teams) | Shared collections | ✅ (Teams+) |
| 1Password | $5.99/mo | 5 users | $7.99/user/mo | Guest accounts (5 free) | ✅ (Teams+) |
| Dashlane | Business only (no personal family plan) | N/A | Starter: $30/mo | Admin-managed groups | ✅ |
| Keeper | $6.25/mo | 5 users | $4.50/user/mo (Business) | Shared folders | ✅ |
| NordPass | $2.58/mo | 6 users | $1.79/user/mo (Teams) | Shared items | ✅ |
Pricing Detail
Full pricing by plan. All USD unless noted.
| Provider | Free | Individual | Family | Notes |
|---|---|---|---|---|
| Bitwarden | $0 (unlimited) | $19.80/yr ($1.65/mo) | $47.88/yr ($3.99/mo, 6 users) | First price increase in 10 years, Jan 2026. Loyalty discount (25%) for existing subscribers at next renewal. |
| 1Password | ❌ | $47.88/yr ($3.99/mo) | $71.88/yr ($5.99/mo, 5 users) | $12/yr price increase took effect March 27, 2026. No free tier — 14-day trial only. |
| Dashlane | ❌ (discontinued Sept 2025) | $59.99/yr ($4.99/mo) | N/A for personal use | Free plan retired. Desktop app retired 2022 — browser extension + mobile only now. Promo: first year at $2.50/mo. |
| Keeper | ❌ | $34.99/yr ($2.92/mo) | $74.99/yr ($6.25/mo, 5 users) | Promotional 50% discounts frequent — verify at checkout. |
| NordPass | ✅ (1 device) | ~$16.56/yr (promo) | ~$30.96/yr ($2.58/mo, 6 users) | Promotional rate — verify. NordVPN subscribers get discounted bundles. |
Always verify pricing at the provider's checkout page before subscribing — promotional rates and renewal rates differ significantly.
Platform Coverage
| Provider | Windows | macOS | Linux | iOS | Android | Browser Extension | CLI |
|---|---|---|---|---|---|---|---|
| Bitwarden | ✅ | ✅ | ✅ | ✅ | ✅ | Chrome / Firefox / Safari / Edge / Opera | ✅ |
| 1Password | ✅ | ✅ | ✅ | ✅ | ✅ | Chrome / Firefox / Safari / Edge / Brave | ✅ |
| Dashlane | ⚠️ Extension only | ⚠️ Extension only | ⚠️ Extension only | ✅ | ✅ | Chrome / Firefox / Safari / Edge | ❌ |
| Keeper | ✅ | ✅ | ✅ | ✅ | ✅ | Chrome / Firefox / Safari / Edge | ✅ |
| NordPass | ✅ | ✅ | ✅ | ✅ | ✅ | Chrome / Firefox / Safari / Edge / Opera | ❌ |
Dashlane's desktop app was retired in January 2022. All desktop access now routes through the browser extension. If you need a native app on Linux or prefer to work outside a browser, Dashlane isn't the right choice.
Provider Verdicts
Bitwarden
The default recommendation for most people. The argument for it isn't complicated: open source (you can read the code, independent researchers can find problems), annually audited, AES-256 with optional Argon2id KDF (better resistance to GPU cracking than PBKDF2 alone), FIDO2/WebAuthn hardware key support on free accounts, passkey storage, genuine emergency access for paid subscribers, and a self-hosting option via Vaultwarden for users who want full control.
The ETH Zurich February 2026 research finding is worth understanding without catastrophizing it. The attack scenario requires the Bitwarden server itself to be compromised and actively serving malicious responses to clients. That's not the threat model of 99% of users — it's relevant to people who should be self-hosting anyway. Bitwarden's response was straightforward: no breach has ever occurred, and they view third-party research as valuable input. That's the right posture.
FIDO2 hardware key support moved to all plans, including free, as part of the January 2026 premium plan overhaul. Previously locked to paid plans. That's a meaningful change — hardware key 2FA is the most phishing-resistant option available, and it now costs nothing to use with Bitwarden.
For a full setup walkthrough, see How to Set Up Bitwarden.
Best for: Everyone who doesn't have a specific reason to use something else.
1Password
The premium, closed-source option. "Closed source" is not automatically a disqualifier — 1Password has accumulated more than 24 independent security audits and publishes the results through its Trust Center. The audit density is higher than most open-source projects. The SOC 2 Type 2 and ISO 27001 certifications are management-process attestations, but the Cure53 penetration tests are technical.
Two genuinely unique things. First, the two-secret-key model — your master password plus a 128-bit Secret Key stored only on your devices. A server breach without the device-side key is useless. The tradeoff is that recovery without your Emergency Kit is impossible. Second, Travel Mode — toggle it on before a border crossing, and any vault you haven't marked "safe for travel" disappears from all your devices. The vault isn't deleted; it's removed from device storage until you toggle it off. No other password manager does this. For anyone crossing borders where device searches are a real concern, this is not a gimmick.
The March 2026 price increase is real: individual plan went from $35.88/year to $47.88/year. Still defensible for the feature set and audit history, but it's no longer competitive on price with Bitwarden.
No free tier. No self-hosting option. No contact-based emergency access.
Best for: Users who want maximum audit history, the Travel Mode feature, and are willing to pay the premium for a polished closed-source product.
NordPass
The cheapest family plan on this list. Six users at $2.58/month. The encryption choice — XChaCha20 with Argon2 key derivation — is technically sound. XChaCha20 performs better than AES-256 on devices without hardware AES acceleration, which means every mobile device you own. The Cure53 2020 audit found nine vulnerabilities; all were patched during the audit period. SOC 2 Type 2 and ISO 27001 certifications followed.
What you're trading away: NordPass has the thinnest public audit record here. One Cure53 audit from 2020, plus certifications. No annual pentest cadence like 1Password, no open-source codebase like Bitwarden. The latest listed security work is SOC 2/ISO from 2023-2024.
The Nord Security parentage (same company as NordVPN) is worth knowing. Not a red flag — Nord has a reasonable track record — but it's a larger corporate structure than Bitwarden's independent company model.
No emergency access feature. No self-hosting.
Best for: Budget-conscious users, especially families. The encryption and zero-knowledge architecture are legitimate even if the audit trail is thinner.
Dashlane
The hardest one to recommend without caveats, and the price doesn't justify them. $59.99/year for browser-extension-only access. The desktop app died in 2022. The free plan died in September 2025. What you get is a clean interface, dark web monitoring, an integrated VPN (useful to some, irrelevant to others), and ISO 27001 certification.
The ETH Zurich February 2026 research found six compromise-scenario vulnerabilities in Dashlane. To its credit, Dashlane moved fastest on patches — legacy cryptographic downgrades were removed and the browser extension was patched in November 2025. That's a better response than doing nothing.
What Dashlane doesn't have: a public Cure53-style technical pentest, an open-source codebase, a family plan, or a self-hosting option. At $59.99/year — the highest individual price on this list — you're paying for a polished interface and brand recognition.
Best for: Existing Dashlane users who are satisfied and have no reason to switch. For new users, Bitwarden or 1Password are better options at lower prices.
Keeper
The compliance specialist. SOC 2, ISO 27001, FedRAMP, StateRAMP — if your organization operates in federal or regulated environments, Keeper is the practical choice because those certifications are prerequisites, not nice-to-haves. Individual pricing ($34.99/year) is reasonable. The interface is clean across all platforms including a native Linux app.
Outside the enterprise/government use case, the case for Keeper over Bitwarden is harder to make. The encryption is AES-256 with PBKDF2 — functional, but not differentiated. The audit record is certification-heavy (ISO, SOC 2) rather than technical-pentest-heavy. There's no open-source client, no self-hosting option, and breach alerts require a paid BreachWatch add-on.
Best for: Government agencies, regulated industries, and organizations that specifically require FedRAMP authorization. For personal use, the other options offer more per dollar.
What Law Enforcement Gets
Zero-knowledge architecture is not primarily about marketing — it has a legal dimension. When a law enforcement agency serves a subpoena on Bitwarden, 1Password, or any of the others on this list, they receive whatever the provider is capable of handing over. In a properly implemented zero-knowledge architecture, that's encrypted vault data that the provider cannot decrypt. The keys exist only on your devices.
This works until it doesn't. A provider operating under a gag order in a jurisdiction that compels software modifications could, in theory, be forced to push a client update that exfiltrates the master password before hashing. Open-source clients are meaningfully more resistant to this because the code can be audited and reproducible builds can be verified. Closed-source clients require trusting that the binary matches what the audits covered.
For most people this is not a live threat. For people whose password manager contents could result in their prosecution or harm to others, these architectural differences matter.
Passkeys and Where Password Managers Are Going
The shift to passkeys is real and accelerating. Bitwarden reported a 550% jump in daily passkey creation in 2025. Every provider on this list now supports passkey storage. 1Password is implementing FIDO Alliance Credential Exchange Protocol (CXP) in 2026, which will allow passkeys to be moved between password managers without starting over.
The practical implication: your password manager choice today is also your passkey manager choice going forward. A provider that handles passkeys poorly — bad UX, limited platform support, no cross-device sync — will create friction as passkeys replace passwords for more services. On this dimension, Bitwarden and 1Password are the furthest ahead. For more on the passwordless shift, see Going Passwordless in 2026.
Auditing Your Password Manager
Regardless of which provider you use, the vault itself needs regular maintenance — weak passwords, reused passwords, compromised credentials, and stale accounts that no longer exist. The tool is only as good as the hygiene habits around it. See How to Audit Your Password Manager for a structured process.
Providers Not Included
- LastPass — Two major breaches in 2022, including one where threat actors exfiltrated encrypted vault data. The company's incident response was slow and the disclosure was incomplete. Not included.
- RoboForm — Legitimate product, thinner public audit trail. May be added in a future update.
- KeePass / KeePassXC — Open-source, local-only by default. Excellent for users who want zero cloud exposure, but out of scope for this cloud-sync comparison.
Affiliate Disclosure
This page does not carry affiliate links. Bitwarden, 1Password, NordPass, Keeper, and Dashlane all have affiliate or referral programs — this explains why they appear in every "best password managers" roundup. All prices above link directly to the provider's pricing page or an independent source, not to an affiliate landing page.
Changelog
| Date | Change |
|---|---|
| 2026-03-27 | Initial published version. |
Last updated: 27 March 2026. To report a change — new audit, pricing update, incident — get in touch.