Three open-source password managers that respect your privacy

Passwords are designed to protect one thing: your online security. Weak passwords pose a serious threat to your online security — once a hacker gains access to your online accounts, they can impersonate you online, steal your financial data, or sell your private information to hostile third parties. 

Strong passwords are the first line of defense against unauthorized access to your online accounts, and by extension, your personal data. 

Sometimes, even if your password is strong, it can be compromised through no fault of your own (such as in the event of a massive data breach). This is why top security researchers recommend using different passwords for different sites, so if one of your accounts is compromised, your personal information in other accounts remains safe. 

However, juggling lengthy and complex passwords for different accounts is impractical without some help. A password manager eliminates this problem by remembering your passwords for you. 

In this article, we look at how password managers work, the factors to consider when choosing one, and recommend three password managers that respect your privacy. 

How a password manager works

A password manager is a program that generates and stores login credentials associated with online accounts. When you first create an online account, a password manager will prompt you to enter a strong and unique password or generate one for you. Once you’ve created the password, the password manager saves the entry in an encrypted vault and allows you to sign in to the same account in the future without hassle. 

Instead of memorizing numerous passwords, you only have to remember one: a master password that enables you to sign in to your password manager. A password manager makes it easy to practice good security hygiene without compromising your online privacy. 

Most password managers also have an autofill feature that automatically selects the relevant password based on the website you are visiting. If you try to log in to an existing account and your password manager does not autofill your login credentials, you may be visiting a spoofed website. Password managers safeguard your security by ensuring that you do not give out your login credentials to malicious websites. 

How to choose a password manager

You can significantly bolster the security of your passwords and online information by investing in a good password manager that puts your privacy and security first. Here are some factors to consider when picking a password manager: 

End-to-end encryption

Since the primary purpose of a password manager is to keep your passwords and login credentials safe, it has to be built with robust encryption protocols. End-to-end encryption (E2EE) is a powerful method of encrypting data so that only the intended recipient — in this case, you — can decrypt it with the master password. 

E2EE is especially crucial in password managers that employ cloud services to sync information across different platforms and devices. Since your passwords are stored in the cloud, they are exposed to the possibility of hacks and data breaches. However, if they are end-to-end encrypted, nobody can decrypt them unless they also have access to your master password. This means that your encrypted passwords remain safe even if your password manager’s cloud service suffers a data breach. 

Password managers use several encryption techniques to secure your data. Two of the most common are:

AES-256

AES-256 is a block cipher that employs symmetric key exchange, meaning the same key is used to encrypt and decrypt your data. With a key length of 256 bits, AES-256 is virtually impenetrable. Using brute force methods, it would take a computer billions of years to break the encryption.

AES was chosen as the winner after being submitted as an entry to a worldwide cipher competition hosted by the National Institute of Standards and Technology (NIST) in 1997. Today, it is the cipher of choice for government and commercial use.

Twofish

Similar to AES, Twofish is an encryption standard invented by cryptography expert Bruce Schneier and uses symmetric key exchange. Twofish was selected as one of five finalists in the 1997 NIST competition but has received less scrutiny since. 

Hashing

A hash function is an algorithm that maps any amount of data into a string of letters and numbers of a fixed length. Hashing is a type of one-way encryption that is almost impossible to break. 

However, hashing works in a consistent way (e.g., the word “Hello” will always correspond to a hash made up of the same combination of numbers and letters). Most password managers don’t store your master password but a hash of it. Every time you log in, it hashes the password you enter and compares it to the hash it has on file. If they match, you can log in. SHA-256 is currently the most popular secure hashing algorithm. 

Salting

While hashing is extremely difficult to break, it can be done given enough time and computing power. However, password managers can “salt” your password, a process used to add a random piece of data to your password to prevent rainbow attacks

To salt a password, password managers use a cryptographic method known as a key derivation function. A key derivation function consists of a salt (a random piece of data) and iteration counts (the number of rounds needed to hash a password). 

Key derivation functions are designed to intentionally take up computational resources to increase the length of time needed to crack a password. The higher the iteration counts, the longer it takes to complete a hashing operation. As such, key derivation functions with high iteration counts effectively mitigate against brute-force attacks.

Key derivation functions also ensure that each password has a unique hash value, even if two passwords are exactly the same. For example, if you choose the same password as someone else, both of you would end up with the same hash. However, if your password manager salts your password, it adds a different random piece of data to each password, creating two distinct and unique hashes. 

PBKDF2, AES-KDF, and Argon2 are popular key derivation functions. 

Open source

Password managers that are open source promote trust and transparency. They enable you to inspect the source code and ensure that the security features are implemented correctly. Since open-source software is collaborative, any security expert can submit bug fixes, helping solve vulnerabilities faster. Open-source software has also been shown to be more secure than proprietary software.

Password generator

A password generator saves you the trouble of having to come up with a strong and unique password yourself. Most password managers come equipped with a generator that will automatically create a strong password for you.

Two-factor authentication

Two-factor authentication (2FA) provides an additional layer of security by requiring a second round of verification before you can access your password manager. 2FA is usually implemented on a mobile device, most commonly through an authenticator app. If your master password is compromised, it is unlikely for a hacker to gain access to your passwords unless they also have the second piece of information (i.e., physical access to your mobile) needed to complete the 2FA process. 

Recommendations

The password manager you choose can have a significant impact on your online security. You can protect the integrity of your passwords by using one of the following recommendations, which are all open source and end-to-end encrypted. 

KeePass

Pros:

  • Free
  • E2EE: AES-256 or Twofish (Additional options available via plugins)
  • Password hash: SHA-256
  • Password salt: AES-KDF, Argon2 (Iteration counts can be configured) 
  • Available on: Windows (unofficial versions for Linux, macOS, Android, and iOS)
  • Complete database encryption 
  • Available on major platforms
  • Two-factor authentication
  • Customizable password generator

Cons:

  • Outdated user interface
  • Can be tricky to set up
  • Browser integration only available through plugins

KeePass is a lightweight password manager that boasts a customizable, built-in password generator. Unlike other password managers, KeePass encrypts not only your passwords but also your usernames, URLs, and notes in a database. The database can then be protected with a combination of your master password and an encrypted key file. 

Even though KeePass is a standalone app and does not rely on third-party hosting services, encrypted key files can still be shared across devices using file-sharing apps and cloud services, such as Dropbox. This ensures continual access to your passwords even if you are signing in from another device. 

Bitwarden

Pros: 

  • Free plan available
  • Open source
  • E2EE: AES-256
  • Password hash: SHA-256
  • Password hash: PBKDF2 (100,001 iterations on client-side, 100,000 iterations on server-side. Client-side iteration count can be configured.)
  • Available on: Windows, macOS, Linux, iOS, Android, and as a browser plugin
  • Self-hosting option
  • Easy-to-use desktop and mobile apps
  • Cross-platform synchronization
  • Two-factor authentication
  • Password generator

Cons:

  • Autofill feature requires improvement

Bitwarden is a password manager that encrypts your data and stores it on the Bitwarden cloud by default. However, if you want to retain more technical control, a self-hosting option is available.

Similar to KeePass, Bitwarden offers a free tier that includes a customizable password generator and unlimited vault entries. For an annual subscription of $10, you can attach up to 1 GB of encrypted files, generate vault health reports, and receive additional 2FA options with YubiKey, U2F, and Duo. Besides personal plans, Bitwarden also offers team plans targeted at businesses and enterprises. 

Padloc

Pros: 

  • Open source
  • Free plan available
  • E2EE: AES-256
  • Password hash: SHA-256
  • Password salt: PBKDF2 (Iteration counts can be configured)
  • Available on: Windows, Mac, Linux, iOS, and Android 
  • Ability to store attachments
  • Passwords sharing
  • Browser extensions on Google Chrome and Firefox
  • Easy-to-use apps on major platforms
  • Password generator

Cons:

  • Two-factor authentication only available on paid plans

Though a newcomer to the industry, Padloc is an intuitive password manager built on the premise of simplicity and usability. While Padloc features a free plan that can store up to 50 items and connect up to two devices, the Premium plan unlocks advanced features such as 2FA and 1 GB of encrypted file storage. 

Padloc also offers browser extensions for Chrome and Firefox that allow you to access and manage your passwords directly from your browser. It automatically finds relevant entries based on the website you are visiting. Nonetheless, Padloc does not offer 2FA unless you pay for the Premium plan.

While there are many password management solutions on the market, these three open-source password managers can be trusted to keep your passwords safe by providing true end-to-end encryption. Combined with 2FA, they drastically reduce the possibility of anyone gaining access to your passwords and online accounts. If you wish to further protect your online privacy and security, you can also sign up for a free ProtonMail account.

FAQ

What is the most secure way to keep passwords?

The most secure way to keep passwords is to use a password manager that uses end-to-end encryption. End-to-end encryption secures your data in a way that ensures nobody else can access your passwords except you. 

As an added bonus, it is also worth picking a password manager that is open source and supports two-factor authentication. Open-source software is fully transparent and allows independent reviewers to verify the integrity of the code. At the same time, two-factor authentication provides an added boost of security by requiring a second form of identification. 

Is it safe to use a password manager?

While password managers that rely on third-party hosting services can be breached, this should not pose a problem if the data is end-to-end encrypted. This means that even if a hacker gained access to your passwords, they would not be able to decrypt them unless they also knew your master password. This makes end-to-end encrypted password managers safe to use. 

Password managers that are self-hosted are also extremely safe since you retain full control of your servers and security protocols. 

Should I store my passwords in my web browser?

Most web browsers come equipped with a password management feature, though they are by no means secure. Passwords stored in a web browser are not encrypted and can be read by anyone who has access to your laptop. 

Instead of using your web browser to store your passwords, opt for an end-to-end encrypted password manager. End-to-end password managers offer a high level of security while still prioritizing ease of use and convenience. 


Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit.

About the Author

Lydia Pang

Lydia is a lifelong book-lover and her professional experience spans several industries, including higher education and editorial writing. She's excited to write for Proton and champion privacy as a fundamental right for everyone.