Best Free Password Managers in 2026
Private alternatives to LastPass, Dashlane, vetted against our public criteria.
Grouped by threat level
Proton Pass
Ad · Open-source, end-to-end encrypted password manager from the maker of Proton Mail, based in Switzerland. Stores logins, notes, and cards, with built-in email aliasing via SimpleLogin. Apps for Windows, macOS, Linux, Android, iOS, and the major browsers.
PrivacyNotes
Zero-knowledge notes, tasks, files, passwords and journal secured by a single 12-word recovery phrase, with no email or password required. The crypto core and database schema are published for audit. No subscription model.
KeePassXC
Securely store passwords using industry standard encryption, quickly auto-type them into desktop applications, and use browser extension to log into websites. KeePassDX for…
Bitwarden
Bitwarden is our top choice. You can import your previous passwords from other password managers with ease. Free for personal use. Available for Desktop, all Browsers, Android…
1Password
1Password is a commercial password manager for individuals, families, and teams, available on Windows, Mac, Linux, Android, iOS, and all major browsers. It uses a dual-key architecture combining your master password with a locally generated Secret Key.
KeePassDX
KeePassDX is a lightweight, open-source KeePass-compatible password manager for Android, storing credentials in a local encrypted database file (.kdbx) with support for biometric unlock, autofill, TOTP, and passkeys.
KeePassium
KeePassium is a KeePass-compatible password manager for iOS and macOS, offering biometric unlock, Password AutoFill, automatic sync with iCloud Drive and cloud storage providers, and read/write support for all KeePass database formats.
Psono
Psono is an open-source, self-hostable password manager built for teams and organisations, with browser extensions for all major browsers plus Android and iOS apps. Secrets are end-to-end encrypted client-side before reaching the server.
gopass
gopass is an open-source, command-line password manager written in Go, compatible with the Unix pass store format. Credentials are encrypted with GPG (or age) and versioned in git, with packages available for Linux, macOS, and Windows.
LessPass
If you like Bitwarden but don't like syncing or storage of passwords then LessPass is your choice. Browsers, mobile phones and the command line are supported platforms.
AliasVault
A self-hosted, zero-knowledge password manager with a built-in email aliasing server, end-to-end encrypted and licensed under AGPLv3.
Spectre
Formerly Master Password. Passwords aren't stored: they are generated on-demand from your name, the site, and your master password. No syncing, backups, or internet access…
No matches for those filters.
How they compare
| Tool | Storage | Based in | Cost |
|---|---|---|---|
| Cloud | Lithuania | Freemium |
| | Cloud | Switzerland | Freemium |
| | Cloud | Switzerland | Freemium |
| | Local | · | Free |
| | Both | United States | Freemium |
| | Cloud | Canada | Paid |
| | Local | France | Free |
| | Local | Luxembourg | Freemium |
| | Both | Germany | Freemium |
| | Local | · | Free |
| | Stateless | France | Free |
| Both | · | · |
| Stateless | · | Free |
A password manager generates a strong, unique password for every account and locks them in an encrypted vault behind one master password, so a breach at one site never cascades to the rest. The whole model rests on trusting that vault, which is why how it encrypts your data and where that vault lives matter more than any convenience feature on the box.
Why one strong habit beats a clever system
Reusing a password is the single habit that gets people breached, because one leaked site hands an attacker the keys to every account that shares it. No memory trick scales to the hundred-odd logins an average person now juggles. A password manager solves it by remembering long, random passwords for you, so every account gets a different one and any breach stays contained to the single site where it happened. The only thing you memorize is the master password.
How we pick these
Every pick is measured against our public listing criteria, starting with encryption and transparency. We look for a modern cipher such as AES-256 or XChaCha20, and ideally open-source code so the vault’s security can be verified independently rather than taken on faith. We weigh a zero-knowledge design, where the provider cannot read your vault even if compelled to, alongside a clear answer to where your data actually lives. We list open-source vaults for people who want to audit or self-host, and polished mainstream apps for people who just want it to work.
What to look for in a password manager
Four things matter most. Strong, modern encryption of the vault, so the stored data is useless if it ever leaks. A zero-knowledge architecture, so the company holds only ciphertext it cannot open. Open-source code where you can get it, because a vault you can inspect is a vault you can trust. And a storage model that fits you: a local vault you sync yourself, a cloud account that syncs everywhere automatically, or a stateless tool that derives passwords on demand with nothing to store. Breach alerts and autofill are welcome, but they come after the security basics.
The easy mainstream pick
If you want a polished app that works across every device with no fuss, NordPass is a solid mainstream choice: a zero-knowledge vault encrypted with XChaCha20, with autofill on every platform and a scanner that warns you when a saved login turns up in a known breach. The honest catch is that it is closed-source, so you are trusting its audits rather than the code, and the free tier covers only one device at a time. If you would rather run open-source software, Bitwarden is the community favorite that still syncs everywhere, and KeePassXC keeps the vault entirely on your own machine.
How to switch
Most managers import straight from your browser’s saved passwords or from a CSV your old manager exports, so the move is usually a single step. Set a long passphrase you have never used anywhere else as your master password, then turn on two-factor authentication and install the browser extension and mobile app so autofill follows you everywhere. Then work through your most important logins and replace each weak or reused password with a generated one. Keep your second factor in a separate authenticator app, so it does not sit in the same vault as the passwords it is meant to protect.
Frequently asked
- Is it safe to keep all my passwords in one place?
- Yes, because that one place is an encrypted vault only your master password can open. A good manager uses a zero-knowledge design, so even the company that runs it stores nothing but ciphertext it cannot read. The risk you are removing, reused and weak passwords across dozens of sites, is far larger than the risk you are taking on.
- What happens if I forget my master password?
- With a true zero-knowledge manager, usually nothing can be done, which is the point: if the provider could reset it, so could an attacker. Most offer a recovery key or an emergency kit you save when you sign up. Write your master passphrase down and store it somewhere safe offline, and keep that recovery key.
- Are free password managers good enough?
- For most people, yes. Open-source options like Bitwarden and KeePassXC are free and cover everything an average user needs, including sync and autofill. Paid tiers mostly add convenience and sharing features, not fundamentally better security, so start free and upgrade only if you hit a real limit.
- Is my browser's built-in password manager enough?
- It is better than reusing passwords, but weaker than a dedicated manager. Browser vaults are tied to that one browser, often less rigorously encrypted, and easier for malware on your machine to read. A dedicated manager works across every app and browser and is built around protecting the vault as its only job.
- Should I pick a local vault or a cloud one?
- A local vault never leaves your devices, so there is nothing for anyone to breach on a server, but you handle sync and backups yourself. A cloud account syncs everywhere automatically at the cost of trusting the provider's encryption. Both are safe when done right, so choose by whether you value full control or effortless convenience.
- Didn't a big password manager get breached?
- Yes, and it is the clearest argument for choosing carefully. When a provider is breached, a strong master password and a zero-knowledge design are what keep the stolen vaults useless to attackers. Open-source code that outsiders can inspect, and honesty about what a breach exposed, are exactly what separate a trustworthy manager from a risky one.