The Best Password Manager in 2021
Password managers are – thankfully – becoming a mainstream topic. In addition to seeing commercials for certain ones from time to time, it’s becoming more common for me to attempt to spread the word about good passwords only to be met with something like “oh I already use LastPass/Dashlane/1Password/etc.” While it’s good for consumers that there are more of them available, that also makes it rather difficult for people to know what’s best. This week, I’d like to weigh in on this subject. While I will admit that I purposely formatted this blog title for SEO, I am writing this blog on the assumption that you understand the basics of what a password manager is, what it does, and why it matters. If you’re not sure, I encourage you to skim this page of my website quickly and come back.
I’ll cut right to the chase: the only two password managers I recommend are Bitwarden and KeePassXC. The first criteria I use to recommend password managers is that they are open source. See this page on my website all about what open source is and why it matters to me. This automatically rules out most of the “mainstream” providers like LastPass, Dashlane, etc. My second criteria that rules out many of the other open-source projects it that they must be cross-platform – that is, they must be available on Windows, Mac, Debian-based Linux, Android, and iPhone. There are some other criteria, which you can view in full here if you care, but those main two will likely answer the inevitable “Why isn’t X listed here?”
On the plus side, it does appear that Bitwarden's tracking is limited to their site – in other words, they don’t try to aggregate information about you from other sources to identify you specifically. While this is probably more data about you than they really need, it does seem to be primarily limited to data they want for the purpose of improving the service. They explicitly say in the policy that they ignore Do Not Track signals as they don’t track you anyways. Their mobile app also appears to collect limited data according to the Apple Privacy Label, but unfortunately this “limited data” does include unique identifiers, specifically your Device ID. While I understand the value of this data in regards to security, I suspect they could ignore this information to better preserve privacy if they wanted to.
Bitwarden is cloud-based, which means that you’re automatically opening up some degree of risk by default. However, the database is protected with AES-256 encryption – currently one of the standards that at this time has no known weaknesses – and your password is salted and hashed with bcrypt, which is also considered the current strongest hash algorithm for passwords. For my non-techy readers: they take your security really freaking seriously. The only known weakness at this time would be the master password you use, so make sure you’re using a strong passphrase and two-factor authentication. While it is important to note that nothing is unhackable and keeping your vault in the cloud with Bitwarden is inherently a risk no matter what, at this point in time I would argue that if you’re using a strong master passphrase and two-factor, the average person has nothing to fear on the security front from using Bitwarden.
KeePassXC’s vault is also encrypted using AES-256. KeePassXC has the advantage of being locally stored, entirely independent of the internet. This means that unless you choose to upload your vault to a cloud service, you have virtually no risk of vault compromise. However, it is important to note that you should keep secure backups as you still run the risk of having your vault get corrupted, being lost if your computer dies, and of course having locally-stored files won’t save you from a compromised device so be sure to take proper and appropriate device security measures overall. I would also encourage the use of a strong passphrase with KeePassXC simply as a precaution, though the odds of needing it are much lower than with Bitwarden (depending on your situation).
Quite frankly, Bitwarden and KeePassXC are almost identical in terms of features and functionality. For that reason, I’ll just go ahead and list all the major features and differences here in one section. Both allow you to generate random passwords or passphrases, both allow you to specify the criteria for those passwords (length, special characters, etc), and both will allow you to store your two-factor keys in the app for a more convenient login experience (for Bitwarden this is a paid feature and for KeePassXC this does require a small degree of manual expertise from the user. Regardless, be aware that this does make your password vault a “single point of failure” and therefore this feature should be used cautiously). Bitwarden does have a secure file send feature they recently rolled out for premium users, but I personally have never used it as this isn't something I expect of my password manager and I already have other methods for doing that anyways. I would say the only difference between the two in terms of features and function is the user interface: Bitwarden is very sleek, very modern, very pleasing to the eye, and very easy to navigate. KeePassXC looks a bit more outdated, a bit older, a bit more rough, and some of the more advanced features can be confusing and intimidating (fortunately most users don’t have to worry about these features and can safely ignore them). Both services also allow for a browser extension to easily login to websites. I recommend keeping your browser extensions to a minimum, but that’s useful for those who have come to rely on such features. It's also worth mentioning that Bitwarden does have a paid teams feature, so if you run a company then Bitwarden would be the clear winner here as they make it incredibly easy to integrate multiple users into the same shared vault so that you can use strong passwords at work while still giving access to everyone who needs those sites or accounts.
Ultimately, for individuals, you can’t go wrong with either of these options and which one you should pick depends on your threat model and your lifestyle. If you have a low threat model – that is, you are unlikely to be specifically targeted by an individual or organization – and you value convenience, Bitwarden is probably the right choice for you with their single app, synchronization across all devices, and sleek user interface. If you have a higher threat model (or you simply distrust the cloud), you’re willing to do a little extra work, you don’t mind a slightly outdated design, and/or you’re more techy, then KeepassXC is right for you. Whichever one you use, remember to use a strong passphrase (and two-factor for Bitwarden), keep good backups, and you should be pretty well protected. Now go forth and create strong, unique passwords everywhere.