Password Managers and Secrets
Credential management systems protect authentication secrets, API keys, certificates, and sensitive organisational data through encrypted vaults with controlled access. This reference provides procurement-grade evaluation criteria and detailed comparison of solutions suitable for mission-driven organisations, from single-person IT functions to enterprise deployments with compliance requirements.
Password managers address a fundamental security challenge: humans cannot remember unique, complex passwords for dozens or hundreds of services, yet password reuse creates catastrophic breach risk. Organisational credential management extends beyond individual password storage to include shared credentials, emergency access procedures, audit logging, and integration with identity providers.
- Password Manager
- Software that generates, stores, and auto-fills authentication credentials in an encrypted vault, typically protected by a master password or biometric authentication.
- Secrets Management
- Broader category encompassing passwords, API keys, certificates, SSH keys, and other sensitive data requiring secure storage and controlled access.
- Zero-Knowledge Architecture
- Design where the service provider cannot access user data; encryption keys are derived locally and never transmitted to servers.
- Key Derivation Function (KDF)
- Cryptographic algorithm that derives encryption keys from passwords, designed to be computationally expensive to resist brute-force attacks. Common KDFs include PBKDF2, Argon2, and bcrypt.
- Vault
- Encrypted container storing credentials and secrets, accessible only with correct authentication factors.
Category Definition
Functional Scope
Password managers and secrets management solutions provide:
| Function | Description | Organisational benefit |
|---|---|---|
| Credential storage | Encrypted vault for passwords, notes, payment cards | Eliminates insecure storage (spreadsheets, sticky notes, shared documents) |
| Password generation | Cryptographically random password creation | Ensures unique, complex passwords across all services |
| Auto-fill | Browser and application credential injection | Reduces phishing risk through domain verification |
| Secure sharing | Controlled credential distribution to team members | Enables collaboration without exposing plaintext passwords |
| Audit logging | Record of access, modifications, and sharing events | Supports compliance and incident investigation |
| Emergency access | Designated recovery procedures and trusted contacts | Ensures business continuity when key personnel unavailable |
| API and CLI access | Programmatic credential retrieval | Enables automation and DevOps integration |
Solution Categories
Password management solutions fall into distinct architectural categories:
+-------------------------------------------------------------------+| DEPLOYMENT ARCHITECTURE |+-------------------------------------------------------------------+| || +---------------------------+ +---------------------------+ || | LOCAL-ONLY | | CLOUD-HOSTED | || | | | | || | - Database file on disk | | - Vendor infrastructure | || | - User manages sync | | - Automatic sync | || | - No account required | | - Account required | || | - Maximum control | | - Managed availability | || | | | | || | Example: KeePassXC | | Examples: 1Password, | || | | | Dashlane, Keeper | || +---------------------------+ +---------------------------+ || || +---------------------------+ +---------------------------+ || | SELF-HOSTED | | HYBRID | || | | | | || | - Organisation servers | | - Choice of deployment | || | - Full data sovereignty | | - Cloud or self-host | || | - Operational overhead | | - Feature parity varies | || | - Custom integration | | - Migration flexibility | || | | | | || | Examples: Passbolt, | | Examples: Bitwarden | || | Vaultwarden | | | || +---------------------------+ +---------------------------+ || |+-------------------------------------------------------------------+Figure 1: Password manager deployment architecture categories
Adjacent Categories
| Category | Relationship | When to use instead |
|---|---|---|
| Identity and Access Management | IAM handles authentication; password managers store credentials for systems not integrated with SSO | Use IAM for centralised authentication; password managers for credentials that cannot use SSO |
| Privileged Access Management (PAM) | PAM provides session recording, just-in-time access, and privileged credential rotation | Use PAM for administrative access to critical infrastructure; password managers for general credentials |
| Secrets Management (HashiCorp Vault, etc.) | Infrastructure secrets management for applications and services | Use infrastructure secrets managers for machine-to-machine authentication; password managers for human users |
| Certificate Management | PKI and certificate lifecycle management | Use dedicated certificate management for TLS/SSL certificates at scale |
Selection Requirements
Requirement Categories
Requirements are organised by priority and applicability:
| Priority | Definition | Procurement implication |
|---|---|---|
| Critical | Solution unusable without this capability | Mandatory; no exceptions |
| High | Significant operational impact if missing | Required unless documented exception approved |
| Medium | Affects efficiency or user experience | Evaluate against cost and complexity |
| Low | Nice to have; marginal benefit | Consider only if budget allows |
Security Requirements
Encryption and Cryptography
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| SEC-001 | AES-256 encryption for vault data at rest | Critical | Security whitepaper review |
| SEC-002 | Zero-knowledge architecture (provider cannot access plaintext) | Critical | Architecture documentation; third-party audit |
| SEC-003 | Modern key derivation function (Argon2 or PBKDF2 ≥100,000 iterations) | Critical | Security documentation; source code review for FOSS |
| SEC-004 | Encrypted transmission (TLS 1.2+ minimum) | Critical | Security headers test; SSL Labs scan |
| SEC-005 | Client-side encryption before server transmission | Critical | Network traffic analysis; architecture documentation |
| SEC-006 | Memory protection (secure memory handling, auto-clear clipboard) | High | Security documentation; desktop application testing |
| SEC-007 | Support for hardware security keys (FIDO2/WebAuthn) | High | Feature testing; documentation review |
| SEC-008 | Configurable vault timeout and auto-lock | High | Application settings review |
| SEC-009 | Breach detection integration (compromised password checking) | Medium | Feature testing; API documentation |
| SEC-010 | Cryptographic audit by independent third party | High | Audit report availability |
Authentication
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| AUTH-001 | Multi-factor authentication support | Critical | Feature testing |
| AUTH-002 | TOTP authenticator app support | Critical | Configuration testing |
| AUTH-003 | Hardware security key support (YubiKey, etc.) | High | Device compatibility testing |
| AUTH-004 | Biometric unlock (fingerprint, face recognition) | Medium | Mobile/desktop application testing |
| AUTH-005 | SSO integration (SAML 2.0 or OIDC) | High | IdP integration testing |
| AUTH-006 | Directory service integration (LDAP, Active Directory) | Medium | Integration testing |
| AUTH-007 | Passwordless authentication option | Low | Feature documentation |
| AUTH-008 | Session management (concurrent session limits, forced logout) | Medium | Administrative console testing |
Access Control
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| AC-001 | Role-based access control (RBAC) | High | Administrative console testing |
| AC-002 | Granular sharing permissions (read-only, edit, manage) | High | Sharing workflow testing |
| AC-003 | Group-based credential sharing | High | Group management testing |
| AC-004 | Collection/folder-based organisation with permissions | Medium | Organisational structure testing |
| AC-005 | Time-limited access grants | Medium | Sharing options testing |
| AC-006 | Geographic access restrictions | Low | Policy configuration testing |
| AC-007 | Device trust requirements | Medium | Device management testing |
| AC-008 | Custom roles with configurable permissions | Medium | Role management testing |
Operational Requirements
Administration
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| ADM-001 | Centralised administrative console | High | Console functionality testing |
| ADM-002 | User provisioning and deprovisioning | Critical | Lifecycle management testing |
| ADM-003 | SCIM provisioning support | Medium | Identity provider integration |
| ADM-004 | Bulk user import/export | Medium | Import/export functionality testing |
| ADM-005 | Policy enforcement (password complexity, sharing restrictions) | High | Policy configuration testing |
| ADM-006 | Master password reset capability (admin-assisted recovery) | High | Recovery workflow testing |
| ADM-007 | Account recovery without master password exposure | High | Recovery process documentation |
| ADM-008 | Offboarding workflow (credential transfer, access revocation) | Critical | Offboarding process testing |
| ADM-009 | Directory sync (automatic user lifecycle management) | Medium | Directory integration testing |
| ADM-010 | Custom branding | Low | Branding options review |
Audit and Compliance
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| AUD-001 | Comprehensive audit logging (access, changes, sharing) | Critical | Log review and testing |
| AUD-002 | Log export capability (SIEM integration) | High | Export functionality testing |
| AUD-003 | Log retention configuration | Medium | Retention settings review |
| AUD-004 | Compliance reports (SOC 2, ISO 27001 evidence) | High | Report generation testing |
| AUD-005 | Data residency options | High | Deployment documentation |
| AUD-006 | Event streaming (real-time log forwarding) | Medium | Integration testing |
| AUD-007 | Access reports (who has access to what) | High | Reporting functionality |
| AUD-008 | Breach/exposure monitoring | Medium | Feature testing |
Business Continuity
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| BC-001 | Emergency access procedures | Critical | Emergency access testing |
| BC-002 | Trusted contact designation | High | Recovery workflow testing |
| BC-003 | Vault export capability | Critical | Export functionality testing |
| BC-004 | Offline access | High | Offline mode testing |
| BC-005 | Multi-device sync | High | Sync functionality testing |
| BC-006 | Service availability SLA | High | Contract review |
| BC-007 | Data backup and recovery | Critical | Backup documentation; recovery testing |
| BC-008 | Account inheritance procedures | Low | Inheritance workflow documentation |
Integration Requirements
Identity Provider Integration
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| IDP-001 | SAML 2.0 SSO support | High | SSO configuration testing |
| IDP-002 | OpenID Connect support | High | OIDC configuration testing |
| IDP-003 | Microsoft Entra ID integration | High | Azure AD testing |
| IDP-004 | Google Workspace integration | Medium | Google IdP testing |
| IDP-005 | Okta integration | Medium | Okta connector testing |
| IDP-006 | Keycloak/open source IdP support | Medium | Generic SAML/OIDC testing |
| IDP-007 | Just-in-time provisioning | Medium | Auto-provisioning testing |
| IDP-008 | Multi-IdP support | Low | Multiple IdP configuration |
Application Integration
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| APP-001 | Browser extension (Chrome, Firefox, Edge, Safari) | Critical | Extension installation and testing |
| APP-002 | Desktop application (Windows, macOS, Linux) | High | Application installation and testing |
| APP-003 | Mobile application (iOS, Android) | High | Mobile app testing |
| APP-004 | CLI tool | Medium | CLI functionality testing |
| APP-005 | API access (REST, GraphQL) | Medium | API documentation and testing |
| APP-006 | Browser auto-fill accuracy | High | Auto-fill testing across sites |
| APP-007 | SSH key management | Medium | SSH workflow testing |
| APP-008 | Passkey support (FIDO2 resident credentials) | Medium | Passkey creation and use testing |
External Integration
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| EXT-001 | SIEM integration (event forwarding) | High | Splunk/Sentinel/Wazuh testing |
| EXT-002 | Webhook support | Medium | Webhook configuration testing |
| EXT-003 | Microsoft 365 integration | Medium | M365 connector testing |
| EXT-004 | Slack/Teams notifications | Low | Notification testing |
| EXT-005 | ServiceNow integration | Low | ITSM connector testing |
| EXT-006 | Terraform provider | Low | Infrastructure-as-code testing |
Usability Requirements
End User Experience
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| UX-001 | Intuitive vault interface | High | User testing |
| UX-002 | Quick credential access (search, favourites) | High | Workflow timing |
| UX-003 | Password generator with customisation | High | Generator options testing |
| UX-004 | Secure note storage | High | Note functionality testing |
| UX-005 | Custom fields for credentials | Medium | Field customisation testing |
| UX-006 | File attachment support | Medium | Attachment functionality testing |
| UX-007 | Credential sharing workflow | High | Sharing process testing |
| UX-008 | Onboarding experience | Medium | New user workflow testing |
| UX-009 | Accessibility (WCAG 2.1 AA) | Medium | Accessibility audit |
| UX-010 | Localisation (multiple languages) | Low | Language options review |
Import and Migration
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| MIG-001 | Import from common formats (CSV, JSON) | Critical | Import testing |
| MIG-002 | Import from major competitors | High | Competitor import testing |
| MIG-003 | Browser password import | High | Browser import testing |
| MIG-004 | Bulk credential import | High | Large dataset import testing |
| MIG-005 | Export to standard formats | Critical | Export format verification |
| MIG-006 | Migration documentation | High | Documentation review |
Deployment Requirements
Self-Hosted Deployment
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| SH-001 | Container-based deployment (Docker) | High | Docker deployment testing |
| SH-002 | Kubernetes support | Medium | Helm chart testing |
| SH-003 | Database flexibility (PostgreSQL, MySQL, MSSQL) | Medium | Database compatibility testing |
| SH-004 | High availability configuration | High | HA deployment testing |
| SH-005 | Backup and restore procedures | Critical | Backup/restore testing |
| SH-006 | Upgrade procedures without data loss | Critical | Upgrade testing |
| SH-007 | Resource requirements documentation | High | Documentation review |
| SH-008 | Air-gapped deployment option | Low | Offline deployment testing |
Cloud Deployment
| ID | Requirement | Priority | Verification method |
|---|---|---|---|
| CL-001 | Data residency options (EU, US, etc.) | High | Data location verification |
| CL-002 | Uptime SLA (99.9%+) | High | Contract review |
| CL-003 | Disaster recovery procedures | Critical | DR documentation review |
| CL-004 | Data export availability | Critical | Export capability testing |
| CL-005 | SOC 2 Type II certification | High | Audit report review |
| CL-006 | GDPR compliance | Critical | DPA review |
| CL-007 | Data processing agreement availability | Critical | Contract documentation |
Comparison Matrix
Solution Overview
| Attribute | Bitwarden | Passbolt | KeePassXC | 1Password | Dashlane | Keeper |
|---|---|---|---|---|---|---|
| Licence | FOSS (AGPL-3.0) | FOSS (AGPL-3.0) | FOSS (GPL-3.0) | Proprietary | Proprietary | Proprietary |
| Current version | Server 2026.1.0 | API 5.8.0 | 2.7.11 | Continuous | Continuous | 17.4.1 |
| Release date | 13 Jan 2026 | 22 Dec 2025 | 24 Nov 2025 | Continuous | Continuous | 3 Nov 2025 |
| Deployment | Self-host / Cloud | Self-host / Cloud | Local only | Cloud only | Cloud only | Cloud only |
| Nonprofit programme | Yes | Yes | N/A (free) | Yes (50% discount) | Yes | Yes |
| Primary use case | General purpose | Team collaboration | Personal/technical | Enterprise | Consumer/business | Enterprise |
| Headquarters | USA (California) | Luxembourg | Community (Germany) | Canada | USA (New York) | USA (Illinois) |
Encryption Specifications
| Specification | Bitwarden | Passbolt | KeePassXC | 1Password | Dashlane | Keeper |
|---|---|---|---|---|---|---|
| Vault encryption | AES-256-CBC | AES-256-CFB | AES-256-CBC / ChaCha20 / Twofish | AES-256-GCM | AES-256-CBC | AES-256-GCM |
| Authentication | HMAC-SHA256 | OpenPGP signatures | HMAC-SHA256 | GCM (integrated) | HMAC | GCM (integrated) |
| Key derivation | PBKDF2 (600k) or Argon2id | N/A (OpenPGP) | Argon2d/id or AES-KDF | PBKDF2 (650k) | Argon2d | PBKDF2 (1M) |
| Key exchange | RSA-2048 | RSA-2048 / Curve25519 | N/A (local) | RSA-2048 | RSA-2048 | ECIES / ECC-256 |
| Two-secret model | No | No | No | Yes (Secret Key) | No | No |
| Zero-knowledge | Yes | Yes | Yes (local) | Yes | Yes | Yes |
Security Audit and Compliance
| Certification | Bitwarden | Passbolt | KeePassXC | 1Password | Dashlane | Keeper |
|---|---|---|---|---|---|---|
| SOC 2 Type II | Yes | Yes | No | Yes | Yes | Yes |
| SOC 3 | No | No | No | No | No | Yes (June 2025) |
| ISO 27001 | Yes | No | No | Yes | No | Yes |
| FedRAMP | No | No | No | No | No | High (Dec 2025) |
| FIPS 140-3 | No | No | No | No | No | Yes |
| ANSSI CSPN | No | No | Yes (v2.7.9) | No | No | No |
| GDPR compliance | Yes | Yes | N/A | Yes | Yes | Yes |
| HIPAA compatible | Yes | Yes | Yes (local) | Yes | Yes | Yes |
| Independent audit | Cure53 | Cure53 (2021, 2025) | Molotnikov (2023) | Yes | Not published | Yes |
| Bug bounty | HackerOne | Yes | No | HackerOne | No | Yes |
Platform Support
| Platform | Bitwarden | Passbolt | KeePassXC | 1Password | Dashlane | Keeper |
|---|---|---|---|---|---|---|
| Chrome extension | Yes | Yes | KeePassXC-Browser | Yes | Yes | Yes |
| Firefox extension | Yes | Yes | KeePassXC-Browser | Yes | Yes | Yes |
| Safari extension | Yes | No | KeePassXC-Browser | Yes | Yes | Yes |
| Edge extension | Yes | Yes | KeePassXC-Browser | Yes | Yes | Yes |
| Windows desktop | Yes | Yes | Yes | Yes | Yes | Yes |
| macOS desktop | Yes | Yes | Yes | Yes | Yes | Yes |
| Linux desktop | Yes | Yes | Yes | Yes | No | Yes |
| iOS app | Yes | Yes | No (Strongbox/KeePassium) | Yes | Yes | Yes |
| Android app | Yes | Yes | No (Keepass2Android) | Yes | Yes | Yes |
| CLI tool | Yes | Yes | Yes | Yes | Yes | Yes |
| Web vault | Yes | Yes | No | Yes | Yes | Yes |
Feature Comparison
| Feature | Bitwarden | Passbolt | KeePassXC | 1Password | Dashlane | Keeper |
|---|---|---|---|---|---|---|
| Password generator | Yes | Yes | Yes | Yes | Yes | Yes |
| Secure notes | Yes | Yes (v5.6+) | Yes | Yes | Yes | Yes |
| File attachments | Yes (1GB) | No | Yes | Yes (1GB/5GB) | Yes | Yes |
| Custom fields | Yes | Yes | Yes | Yes | Yes | Yes |
| TOTP storage | Yes | Yes | Yes | Yes | Yes | Yes |
| SSH key management | Yes | No | Yes | Yes | No | Yes |
| Passkey support | Yes | No | Limited | Yes | Yes | Yes |
| Credential sharing | Yes | Yes | No (database sharing) | Yes | Yes | Yes |
| Emergency access | Yes | No | No | Yes | Yes | Yes |
| Travel mode | No | No | No | Yes | No | No |
| Breach monitoring | Yes | No | Yes (HIBP) | Yes | Yes | Yes |
| Password health | Yes | No | Yes | Yes | Yes | Yes |
| Dark web monitoring | Enterprise | No | No | Business | Yes | Yes |
Administrative Features
| Feature | Bitwarden | Passbolt | KeePassXC | 1Password | Dashlane | Keeper |
|---|---|---|---|---|---|---|
| Admin console | Yes | Yes | N/A | Yes | Yes | Yes |
| User provisioning | Yes | Yes | N/A | Yes | Yes | Yes |
| SCIM support | Yes | Beta | N/A | Yes | Yes | Yes |
| SAML SSO | Enterprise | Pro/Enterprise | N/A | Business | Business | Business |
| OIDC support | Enterprise | Pro/Enterprise | N/A | Yes | Yes | Yes |
| Directory sync | Yes | Yes | N/A | Yes | Yes | Yes |
| Policy enforcement | Yes | Yes | N/A | Yes | Yes | Yes |
| Audit logs | Yes | Yes | N/A | Yes | Yes | Yes |
| SIEM integration | Yes | Yes | N/A | Yes | Yes | Yes |
| Custom roles | Enterprise | Pro/Enterprise | N/A | Business | Business | Yes |
| Reporting | Yes | Yes | N/A | Yes | Yes | Yes |
Pricing Comparison
| Tier | Bitwarden | Passbolt | KeePassXC | 1Password | Dashlane | Keeper |
|---|---|---|---|---|---|---|
| Free individual | Yes | Community Edition | Yes | No | Limited | No |
| Paid individual | ~$10/year | N/A | Free | ~$36/year | ~$60/year | ~$35/year |
| Team (per user/month) | ~$4 | ~$4 (Pro) | Free | ~$8 | ~$8 | ~$4 |
| Enterprise | ~$6/user/month | ~$6 (Enterprise) | Free | ~$8/user/month | Custom | ~$5/user/month |
| Nonprofit discount | Free Teams | Free Community | N/A | 50% | Available | Available |
| Self-host option | Yes (free) | Yes (free CE) | Yes (only option) | No | No | No |
Note: Prices are approximate and subject to change. Contact vendors for current nonprofit pricing.
Tool Assessments
Bitwarden
Classification: FOSS password manager with optional cloud hosting
Version assessed: Server 2026.1.0, Clients 2025.12.1
Repository: github.com/bitwarden/server, github.com/bitwarden/clients
Overview
Bitwarden provides a comprehensive open-source password management solution with both self-hosted and cloud deployment options. The platform uses a zero-knowledge architecture where all encryption and decryption occurs client-side. Bitwarden’s open-source nature allows security auditing of the codebase, while the company maintains cloud infrastructure for organisations preferring managed services.
The solution targets the full spectrum of users, from individuals using the free tier to enterprises requiring SSO integration, directory sync, and advanced policies. Recent development (2025) has added Access Intelligence for credential risk insights, passkey interoperability, and ISO 27001 certification.
Technical Architecture
+------------------------------------------------------------------+| BITWARDEN ARCHITECTURE |+------------------------------------------------------------------+| || +---------------------------+ +---------------------------+ || | CLIENT DEVICES | | BITWARDEN SERVER | || | | | | || | +-------+ +-------+ | | +-------+ +-------+ | || | |Browser| |Desktop| | | | API | | Admin | | || | |Ext. | | App | | | | Server| | Portal| | || | +---+---+ +---+---+ | | +---+---+ +---+---+ | || | | | | | | | | || | +---+---+ +---+---+ | | +---+-----------+---+ | || | |Mobile | | CLI | | | | Core Service | | || | | App | | Tool | | | | | | || | +---+---+ +---+---+ | | +--------+----------+ | || | | | | | | | || +------+-----------+--------+ | +--------v----------+ | || | | | | | || | Encrypted payloads | | Database | | || | (AES-256-CBC + | | (MSSQL) | | || | HMAC-SHA256) | | | | || | | +-------------------+ | || +------------------------>| | || +---------------------------+ || |+------------------------------------------------------------------+Figure 2: Bitwarden client-server architecture showing zero-knowledge design
Encryption Model
Bitwarden implements a layered encryption approach:
| Layer | Algorithm | Purpose |
|---|---|---|
| Master key derivation | PBKDF2-SHA256 (600,000 iterations) or Argon2id | Derive 256-bit master key from password + email salt |
| Key stretching | HKDF | Stretch to 512-bit stretched master key |
| Symmetric encryption | AES-256-CBC | Encrypt vault items |
| Authentication | HMAC-SHA256 | Verify integrity of encrypted data |
| Asymmetric sharing | RSA-2048 | Encrypt organisation keys for sharing |
Key derivation configuration:
# Default PBKDF2 configurationAlgorithm: PBKDF2-SHA256Iterations: 600,000 (client-side)Salt: User email address (normalised)Output: 256-bit master key
# Optional Argon2id configuration (post-account creation)Algorithm: Argon2idMemory: 64 MBIterations: 3Parallelism: 4Output: 256-bit master keyThe master password never leaves the client device. Authentication uses a separate hash derived from the master key, not the password directly.
Deployment Options
Cloud (Bitwarden-hosted):
- Data centres in US (Azure) and EU (Azure)
- Automatic updates and maintenance
- Uptime SLA included in enterprise plans
- CLOUD Act applies (US-headquartered)
Self-hosted requirements:
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 1 vCPU | 2+ vCPU |
| Memory | 2 GB RAM | 4+ GB RAM |
| Storage | 10 GB | 25+ GB |
| Database | MSSQL Express (10 GB limit) | MSSQL Standard or PostgreSQL |
| Container | Docker with Docker Compose | Kubernetes with Helm |
| OS | Linux (Ubuntu 20.04+) or Windows Server | Linux preferred |
Self-hosted deployment example:
# Download and configurecurl -Lso bitwarden.sh https://go.btwrdn.co/bw-shchmod +x bitwarden.sh./bitwarden.sh install
# Configure environment# Edit ./bwdata/env/global.override.envGLOBAL_SETTINGS__ATTACHMENT_MAX_SIZE=104857600GLOBAL_SETTINGS__SEND__MAX_FILE_LENGTH=104857600
# Start services./bitwarden.sh start
# Update procedure./bitwarden.sh updateStrengths
- Open source transparency: Full codebase available for audit
- Deployment flexibility: Self-host for data sovereignty or use managed cloud
- Feature completeness: Matches commercial competitors on core features
- Nonprofit support: Free Teams plan for qualifying organisations
- Active development: Monthly releases with new features
- Standards compliance: SOC 2 Type II, ISO 27001 certified
- Cross-platform: Full support across all major platforms
Limitations
- Self-hosted complexity: Requires Docker knowledge and ongoing maintenance
- MSSQL dependency: Self-hosted version requires Microsoft SQL Server
- Enterprise features gated: SSO, directory sync require paid Enterprise tier
- CLOUD Act exposure: Cloud-hosted data subject to US jurisdiction
- No travel mode: Cannot hide vaults for border crossing (unlike 1Password)
Suitability Assessment
| Context | Suitability | Rationale |
|---|---|---|
| Single IT person | High | Free Teams tier; minimal self-host complexity acceptable |
| Small IT team | High | Good balance of features and cost |
| Established IT function | High | Enterprise features, SSO, directory sync available |
| Data sovereignty requirement | High | Self-host option with full data control |
| High-compliance environment | Medium | SOC 2/ISO 27001 but no FedRAMP |
| Technical users | High | CLI, API, self-host options |
| Non-technical users | High | Intuitive interface; browser extension works well |
Documentation Quality
| Resource | Quality | Notes |
|---|---|---|
| Security whitepaper | Excellent | Comprehensive cryptographic documentation |
| Self-host guide | Good | Step-by-step Docker deployment |
| API documentation | Good | OpenAPI specification available |
| Admin documentation | Good | Clear console guidance |
| User documentation | Excellent | Comprehensive help centre |
Key documentation links:
- Security whitepaper: bitwarden.com/help/bitwarden-security-white-paper
- Architecture: contributing.bitwarden.com/architecture
- Self-host: bitwarden.com/help/install-on-premise-linux
Passbolt
Classification: FOSS team password manager with OpenPGP encryption
Version assessed: API/Browser 5.8.0, Windows 2.5.0, Android 2.5.0, iOS 2.5.0
Repository: github.com/passbolt/passbolt_api
Overview
Passbolt takes a distinct approach to password management by building on OpenPGP (RFC 4880) rather than symmetric encryption with a master password. Each user has an RSA or ECC key pair; sharing credentials involves encrypting with recipients’ public keys. This model aligns naturally with team collaboration use cases where credentials must be shared securely between specific individuals.
The platform is self-hosted by design, with cloud hosting available as an optional managed service. Passbolt’s focus on collaboration differentiates it from general-purpose password managers—features like individual credential storage are secondary to secure team sharing workflows.
Technical Architecture
+------------------------------------------------------------------+| PASSBOLT ARCHITECTURE |+------------------------------------------------------------------+| || +---------------------------+ +---------------------------+ || | USER DEVICE | | PASSBOLT SERVER | || | | | | || | +-------------------+ | | +-------------------+ | || | | Browser Extension | | | | PHP Application | | || | | | | | | | | || | | +---------------+ | | | | +---------------+ | | || | | | OpenPGP.js | | | | | | OpenPGP.php | | | || | | | (client-side) | | | | | | (validation) | | | || | | +---------------+ | | | | +---------------+ | | || | | | | | | | | || | | +---------------+ | | | | +---------------+ | | || | | | Private Key | | | | | | Public Keys | | | || | | | (never sent) | | | | | | (all users) | | | || | | +---------------+ | | | | +---------------+ | | || | +--------+----------+ | | +--------+----------+ | || | | | | | | || +-----------+---------------+ | +--------v----------+ | || | | | | | || | GpgAuth | | MySQL/ | | || | (challenge- | | PostgreSQL | | || | response) | | | | || | | +-------------------+ | || +------------------->| | || +---------------------------+ || |+------------------------------------------------------------------+Figure 3: Passbolt architecture showing OpenPGP-based encryption model
Encryption Model
Passbolt’s cryptographic model differs fundamentally from password-derived encryption:
| Component | Implementation | Purpose |
|---|---|---|
| User keys | RSA-2048 (default) or Curve25519 | Asymmetric encryption for sharing |
| Symmetric cipher | AES-256-CFB | Encrypt credential payloads |
| Hash functions | SHA-256, SHA-512 | Integrity verification |
| Authentication | GpgAuth challenge-response | No password hash transmitted |
| Metadata encryption | AES-256-GCM (SSO) or OpenPGP | Zero-knowledge mode |
Key characteristics:
- No master password hash stored anywhere
- Private key protected by passphrase, stored client-side only
- Sharing = encrypting with recipient’s public key
- Server validates signatures but cannot decrypt data
GpgAuth authentication flow:
User Server | | |----(1) Request-------->| | | |<---(2) Server token----| (encrypted with user's public key) | | |----(3) Decrypted------>| (proves possession of private key) | token | | | |<---(4) User token------| (for user to verify server identity) | | |----(5) Session-------->| (authenticated session established) | |Figure 4: GpgAuth challenge-response authentication
Deployment Options
Self-hosted (primary model):
| Component | Requirement |
|---|---|
| Web server | Nginx or Apache |
| PHP | 8.1+ with required extensions |
| Database | MySQL 8.0+ or PostgreSQL 13+ |
| SSL certificate | Required (Let’s Encrypt acceptable) |
| Container | Docker available |
Docker deployment:
# Using official Docker imagedocker pull passbolt/passbolt:latest
# Configure with environment variablesdocker run -d \ --name passbolt \ -e DATASOURCES_DEFAULT_HOST=db \ -e DATASOURCES_DEFAULT_DATABASE=passbolt \ -e DATASOURCES_DEFAULT_USERNAME=passbolt \ -e DATASOURCES_DEFAULT_PASSWORD=secure_password \ -e APP_FULL_BASE_URL=https://passbolt.example.org \ passbolt/passbolt:latestCloud (Passbolt-hosted):
- Available for Pro and Enterprise tiers
- EU data centre (Luxembourg)
- SOC 2 Type II certified
- GDPR compliant
Feature Highlights (2025)
Recent releases have added significant capabilities:
| Version | Feature | Description |
|---|---|---|
| 5.8.0 | Dynamic role management | Custom RBAC roles |
| 5.7.0 | Secret history | Track credential changes over time |
| 5.6.0 | Standalone notes | Secure notes without credentials |
| 5.5.0 | Encrypted metadata | Zero-knowledge mode for all metadata |
| 5.4.0 | SCIM provisioning | Automated user lifecycle (beta) |
Strengths
- OpenPGP foundation: Proven cryptographic standard; key portability
- Collaboration focus: Designed for team credential sharing from the start
- Self-hosted first: Full data sovereignty with primary deployment model
- EU jurisdiction: Luxembourg headquarters; GDPR-native
- Security audits: Regular Cure53 audits (2021 full, 2025 metadata)
- Active development: Consistent monthly releases
- API-first: Comprehensive REST API for automation
Limitations
- No Safari extension: macOS users must use desktop app
- No file attachments: Cannot store documents in vault
- Mobile experience: Less mature than desktop/browser
- Complexity: OpenPGP model requires user understanding of key management
- No emergency access: Missing trusted contact / dead man’s switch
- Individual use limited: Team sharing focus means personal features secondary
Suitability Assessment
| Context | Suitability | Rationale |
|---|---|---|
| Single IT person | Low | Overhead too high for single user |
| Small IT team | High | Team sharing is primary use case |
| Established IT function | High | Enterprise features, SSO, directory sync |
| Data sovereignty requirement | Excellent | Self-host by default; EU cloud option |
| High-compliance environment | Medium | SOC 2 but no FedRAMP |
| Technical users | High | OpenPGP model appeals to security-conscious |
| Non-technical users | Medium | Key concepts require explanation |
Documentation Quality
| Resource | Quality | Notes |
|---|---|---|
| Security whitepaper | Excellent | Detailed cryptographic documentation (August 2025, Rev 9) |
| Installation guide | Good | Multiple deployment options covered |
| API documentation | Excellent | Comprehensive REST API reference |
| Admin documentation | Good | Clear role and policy guidance |
| User documentation | Good | Covers browser extension workflow |
Key documentation links:
- Security whitepaper: passbolt.com/docs/hosting/security/security-white-paper
- Installation: passbolt.com/docs/hosting/install
- API reference: passbolt.com/docs/api
KeePassXC
Classification: FOSS local password manager with database file storage
Version assessed: 2.7.11 (24 November 2025)
Repository: github.com/keepassxreboot/keepassxc
Overview
KeePassXC is a community-driven fork of KeePass, rewritten in C++ with Qt for cross-platform compatibility. Unlike cloud-based solutions, KeePassXC stores credentials in an encrypted database file (KDBX format) that users manage locally. This local-first approach provides maximum control and privacy but requires users to handle their own synchronisation and backup.
The project achieved significant recognition in November 2025 when version 2.7.9 received French ANSSI First-level Security Certification (CSPN), validating its security model for government use. This certification, combined with a prior independent security audit, makes KeePassXC one of the most scrutinised password managers available.
Technical Architecture
+------------------------------------------------------------------+| KEEPASSXC ARCHITECTURE |+------------------------------------------------------------------+| || +---------------------------+ || | USER DEVICE | || | | || | +-------------------+ | +---------------------------+ || | | KeePassXC App | | | KDBX Database File | || | | | | | | || | | +---------------+ | | | +---------------------+ | || | | | Crypto Engine | | | | | Outer Header | | || | | | AES/ChaCha20/ | |<---+--->| | (cipher, KDF, | | || | | | Twofish | | | | | parameters) | | || | | +---------------+ | | | +---------------------+ | || | | | | | | Inner Header | | || | | +---------------+ | | | | (stream cipher, | | || | | | KDF Engine | | | | | binary attachments)| | || | | | Argon2d/id | | | | +---------------------+ | || | | | AES-KDF | | | | | Encrypted Payload | | || | | +---------------+ | | | | (XML with entries) | | || | | | | | +---------------------+ | || | | +---------------+ | | | | HMAC Blocks | | || | | | Browser Int. | | | | | (integrity check) | | || | | | (native msg) | | | | +---------------------+ | || | | +---------------+ | | +---------------------------+ || | +-------------------+ | || | | | User manages || +-----------+---------------------------------+ sync/backup || | || +-----------v------------------+ || | Optional: Cloud Storage | (Dropbox, Google Drive, || | (not managed by KeePassXC) | Syncthing, rsync, etc.) || +------------------------------+ || |+------------------------------------------------------------------+Figure 5: KeePassXC local architecture with optional user-managed sync
Encryption Model
KeePassXC supports the KDBX 4 format with configurable encryption:
| Component | Options | Default |
|---|---|---|
| Cipher | AES-256-CBC, ChaCha20, Twofish-256 | AES-256-CBC |
| KDF | Argon2d, Argon2id, AES-KDF | Argon2d |
| Stream cipher | ChaCha20 (inner), Salsa20 (legacy) | ChaCha20 |
| HMAC | HMAC-SHA256 (block authentication) | Required |
Argon2 default parameters:
Algorithm: Argon2d (GPU/ASIC resistant)Memory: 64 MBIterations: Calibrated to ~1 second unlock timeParallelism: CPU core countComposite key derivation:
Composite Key = SHA256( SHA256(password) + keyfile_contents + hardware_key_response)
Master Key = KDF(Composite Key, parameters)Authentication Factors
KeePassXC supports multiple authentication factors:
| Factor | Description | Security benefit |
|---|---|---|
| Master password | Primary knowledge factor | Required or optional with key file |
| Key file | File with random bytes | Something you have; can require both password + key |
| YubiKey / OnlyKey | HMAC-SHA1 challenge-response | Hardware factor; physically required to unlock |
| Windows Hello | Biometric quick unlock | Convenience (not a replacement for master key) |
Multi-factor configuration example:
- Require password + key file for database open
- Key file stored on USB drive or secure location
- YubiKey in challenge-response mode for additional factor
Platform Support
Native applications (official):
| Platform | Distribution | Notes |
|---|---|---|
| Windows | Installer, portable, Microsoft Store | Full feature parity |
| macOS | DMG, Homebrew | Full feature parity |
| Linux | AppImage, Snap, Flatpak, distro packages | Primary development platform |
Browser integration:
- KeePassXC-Browser extension connects to desktop application
- Uses native messaging (not cloud sync)
- Requires KeePassXC desktop running
Mobile (community, third-party):
| Platform | Recommended app | Notes |
|---|---|---|
| iOS | Strongbox, KeePassium | KDBX format compatible; sync via Files app |
| Android | Keepass2Android | KDBX format compatible; direct cloud storage integration |
Strengths
- Local-only control: No account, no cloud dependency, complete data ownership
- Security certifications: ANSSI CSPN (2025), independent audit (2023)
- Encryption choice: Select cipher and KDF to match threat model
- Free forever: No paid tiers, no feature restrictions
- Cross-platform: Native performance on Windows, macOS, Linux
- SSH agent: Built-in SSH key management
- No attack surface: No server to compromise, no account to breach
- KDBX portability: Database format supported by many applications
Limitations
- No native mobile app: Relies on third-party apps for iOS/Android
- Manual sync required: User manages file synchronisation
- No credential sharing: Database file sharing is all-or-nothing
- No emergency access: No built-in trusted contact or recovery mechanism
- No breach monitoring: Cannot check credentials against breach databases (manual only)
- Browser integration complexity: Requires desktop app running; connection setup
- No centralised administration: Cannot manage multiple users centrally
Synchronisation Patterns
Since KeePassXC doesn’t provide sync, users must implement their own:
| Method | Pros | Cons |
|---|---|---|
| Cloud storage (Dropbox, Google Drive) | Easy setup; automatic | Third-party access to encrypted file |
| Syncthing | Peer-to-peer; no third party | Setup complexity; requires always-on device |
| rsync / SSH | Full control; scriptable | Manual trigger; technical knowledge required |
| Network share | Simple; works offline | Single point of failure; LAN only |
Conflict resolution:
- KDBX format doesn’t auto-merge
- If conflict occurs, choose version and manually reconcile
- Some third-party apps (Strongbox) support conflict resolution
Suitability Assessment
| Context | Suitability | Rationale |
|---|---|---|
| Single IT person | High | Simple, free, complete control |
| Small IT team | Low | No sharing mechanism; each user needs own database |
| Established IT function | Low | No centralised administration |
| Data sovereignty requirement | Excellent | No cloud, no account, pure local storage |
| High-compliance environment | High | ANSSI certified; audited; local control |
| Technical users | Excellent | Power user features; full configurability |
| Non-technical users | Medium | Sync setup and browser integration require guidance |
Documentation Quality
| Resource | Quality | Notes |
|---|---|---|
| User guide | Good | Comprehensive feature documentation |
| Security audit | Excellent | Published Molotnikov audit report |
| FAQ | Good | Common questions addressed |
| Browser extension | Good | Setup instructions clear |
| Comparison docs | Limited | Differences from KeePass not fully documented |
Key documentation links:
- User guide: keepassxc.org/docs
- Security audit: keepassxc.org/assets/pdf/KeePassXC-Review-V1-Molotnikov.pdf
- ANSSI certification: cyber.gouv.fr (search KeePassXC)
1Password
Classification: Commercial password manager with cloud-only deployment
Version assessed: Continuous release (January 2026 updates across platforms)
Website: 1password.com
Overview
1Password pioneered many features now standard in password management, including Travel Mode (hide vaults at borders) and Watchtower (breach monitoring). The platform serves both consumers and enterprises, with a particular strength in user experience and design.
A distinguishing architectural feature is the two-secret model: users have both an account password and a randomly generated Secret Key. Both are required to derive encryption keys, meaning 1Password cannot decrypt vaults even with a court order—they don’t have the Secret Key.
1Password is cloud-only with no self-hosted option, positioning simplicity and security as compatible goals.
Technical Architecture
+------------------------------------------------------------------+| 1PASSWORD ARCHITECTURE |+------------------------------------------------------------------+| || +---------------------------+ +---------------------------+ || | USER DEVICE | | 1PASSWORD SERVICE | || | | | (AWS multi-region) | || | +-------------------+ | | | || | | 1Password Client | | | +-------------------+ | || | | | | | | SRP Auth Server | | || | | +---------------+ | | | | (no password | | || | | | Crypto Engine | | | | | transmitted) | | || | | | AES-256-GCM | | | | +-------------------+ | || | | +---------------+ | | | | || | | | | | +-------------------+ | || | | +---------------+ | | | | Encrypted Vault | | || | | | Key Derivation| | | | | Storage | | || | | | PBKDF2 650k | | | | | (cannot decrypt | | || | | | + HKDF | | | | | without Secret | | || | | +---------------+ | | | | Key) | | || | | | | | | +-------------------+ | || | | v | | | | || | | +---------------+ | | +---------------------------+ || | | | Master Unlock | | | || | | | Key (MUK) | | | || | | | derived from: | | | || | | | - Password | | | || | | | - Secret Key | | | || | | +---------------+ | | || | +-------------------+ | || +---------------------------+ || |+------------------------------------------------------------------+Figure 6: 1Password two-secret architecture
Encryption Model
1Password’s security model centres on the Secret Key:
| Component | Specification |
|---|---|
| Vault encryption | AES-256-GCM |
| Key derivation | PBKDF2-HMAC-SHA256 (650,000 iterations) + HKDF |
| Secret Key | 128-bit randomly generated (34 characters including dashes) |
| Authentication | SRP v6 (Secure Remote Password) |
| Sharing | RSA-2048 public key encryption |
Two-secret key derivation:
Secret Key: A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX | 128 bits of entropy (2^128 possible values)
Master Unlock Key = HKDF( PBKDF2( password, email + secret_key, # Salt includes Secret Key 650000 # Iterations ), additional_context)Security implications:
- Server breach: Attacker gets encrypted vaults but needs Secret Key to attempt password brute-force
- Phishing: Password alone is insufficient
- Court order: 1Password cannot comply; they don’t have Secret Key
- User burden: Must store Secret Key securely (Emergency Kit)
Platform Coverage
| Platform | Application | Auto-fill support |
|---|---|---|
| Chrome | Extension | Yes |
| Firefox | Extension | Yes |
| Safari | Extension | Yes |
| Edge | Extension | Yes |
| Windows | Desktop app | Yes (system-wide) |
| macOS | Desktop app + Safari extension | Yes (system-wide) |
| Linux | Desktop app | Yes (limited) |
| iOS | Native app | Yes (system autofill) |
| Android | Native app | Yes (Autofill Framework) |
| CLI | 1Password CLI | Scriptable access |
Enterprise Features
| Feature | Capability |
|---|---|
| SSO integration | SAML 2.0, OIDC with major IdPs |
| SCIM provisioning | Automatic user lifecycle |
| Custom groups | Flexible team structures |
| Vault policies | Password requirements, sharing rules |
| Audit logging | Comprehensive activity logs |
| SIEM integration | Event streaming available |
| Reports | Access reports, security scores |
| Admin console | Centralised management |
Unique Features
| Feature | Description | Benefit |
|---|---|---|
| Travel Mode | Hide designated vaults | Border crossing protection |
| Watchtower | Breach monitoring, weak password detection | Proactive security |
| Secret Key | Two-factor encryption (not just auth) | Defence in depth |
| SSH Agent | Native SSH key management | Developer workflow |
| Passkey support | Store and use passkeys | Future-proof authentication |
Strengths
- User experience: Widely praised interface design
- Two-secret model: Unique defence against server compromise
- Feature completeness: Full enterprise feature set
- Cross-platform excellence: Consistent experience across all platforms
- Travel Mode: Unique capability for border crossing
- Active development: Continuous feature releases
- Security investment: Regular audits, bug bounty, dedicated security team
- Nonprofit discount: 50% off for qualifying organisations
Limitations
- Cloud-only: No self-hosted option; must trust 1Password
- Canadian/US jurisdiction: Data subject to Five Eyes intelligence sharing
- Cost: Premium pricing compared to open-source alternatives
- No Linux first-class: Desktop experience less polished than macOS/Windows
- Secret Key UX: Users must securely store Emergency Kit
- Vendor lock-in: Limited export options (though improving)
Suitability Assessment
| Context | Suitability | Rationale |
|---|---|---|
| Single IT person | Medium | Cost may be prohibitive for personal/small use |
| Small IT team | High | Teams plan offers good value |
| Established IT function | Excellent | Full enterprise features, excellent UX reduces support |
| Data sovereignty requirement | Low | Cloud-only; no self-host |
| High-compliance environment | Medium | SOC 2, ISO 27001 but no FedRAMP |
| Technical users | High | CLI, SSH agent, passkeys |
| Non-technical users | Excellent | Best-in-class usability |
Documentation Quality
| Resource | Quality | Notes |
|---|---|---|
| Security whitepaper | Excellent | Detailed cryptographic documentation |
| User guide | Excellent | Comprehensive, well-organised |
| Admin documentation | Excellent | Clear enterprise guidance |
| API documentation | Good | Developer-focused |
| Blog | Good | Regular security and feature updates |
Key documentation links:
- Security whitepaper: 1password.com/files/1password-white-paper.pdf
- Support: support.1password.com
- Security: 1password.com/security
Dashlane
Classification: Commercial password manager with consumer and business offerings
Version assessed: Continuous release (H1 2025 release notes)
Website: dashlane.com
Overview
Dashlane targets both consumers and businesses with a polished user experience and strong security foundation. The platform differentiates through features like built-in VPN (Premium plans) and passwordless authentication options. Recent development has focused on enterprise features including secure enclave SSO using AWS Nitro.
Dashlane’s security whitepaper (v2.7.0, January 2025) provides exceptional transparency about their cryptographic implementation, documenting 41 pages of security architecture detail.
Technical Architecture
+-------------------------------------------------------------------+| DASHLANE ARCHITECTURE |+-------------------------------------------------------------------+| || +---------------------------+ +---------------------------+ || | USER DEVICE | | DASHLANE SERVICE | || | | | (AWS) | || | +-------------------+ | | | || | | Dashlane Client | | | +-------------------+ | || | | | | | | Auth Service | | || | | +---------------+ | | | | (DeviceKey auth) | | || | | | Argon2d KDF | | | | +-------------------+ | || | | | (3 iter, | | | | | || | | | 32 MB mem) | | | | +-------------------+ | || | | +---------------+ | | | | Encrypted Vault | | || | | | | | | Storage | | || | | +---------------+ | | | +-------------------+ | || | | | AES-256-CBC | | | | | || | | | + HMAC | | | | +-------------------+ | || | | +---------------+ | | | | SSO Connector | | || | | | | | | (Nitro Enclave | | || | | +---------------+ | | | | or self-hosted) | | || | | | Passwordless | | | | +-------------------+ | || | | | Option: | | | | | || | | | 243-bit MGP | | | +---------------------------+ || | | +---------------+ | | || | +-------------------+ | || +---------------------------+ || |+-------------------------------------------------------------------+Figure 7: Dashlane architecture showing Argon2d and passwordless options
Encryption Model
Dashlane uses Argon2d for key derivation with specific parameters:
| Component | Specification |
|---|---|
| Vault encryption | AES-256-CBC with HMAC authentication |
| Key derivation | Argon2d (3 iterations, 32,768 KB memory, 2 parallelism) |
| Master password validation | zxcvbn library (score ≥3 required, 10^8 - 10^10 guesses) |
| Device authentication | 40-byte DeviceKey (OpenSSL RAND_byte) |
| Sharing | RSA-2048 public/private keys + AES-256 ObjectKeys |
| Passwordless | 40-character machine-generated password (~243 bits entropy) |
Passwordless authentication:
Dashlane offers true passwordless accounts where:
- Machine-Generated Password (MGP) replaces master password
- 40-character string with ~243 bits of entropy
- Device-bound; recovery requires Account Recovery Key or admin assistance
- Eliminates master password as attack vector
SSO architecture options:
| Option | Implementation | Key management |
|---|---|---|
| Self-hosted connector | On-premises connector | XOR of two 64-byte keys (user + connector) |
| Dashlane-hosted | AWS Nitro Enclave | Secure enclave with attestation |
| Confidential computing | Nitro encryption | Keys never accessible to Dashlane |
Platform Support
| Platform | Application | Notes |
|---|---|---|
| Chrome | Extension | Primary platform |
| Firefox | Extension | Full feature parity |
| Safari | Extension | Full feature parity |
| Edge | Extension | Full feature parity |
| Windows | Desktop app | Full features |
| macOS | Desktop app | Full features |
| Linux | No native app | Web vault only |
| iOS | Native app | Full features |
| Android | Native app | Full features |
| CLI | Available | For automation |
| Web | vault.dashlane.com | Full access |
Business Features
| Feature | Capability |
|---|---|
| SSO integration | SAML 2.0, self-hosted or Dashlane-hosted connector |
| SCIM provisioning | Automatic user lifecycle |
| Groups and collections | Team organisation |
| Policies | Password requirements, sharing restrictions |
| Audit logs | Activity tracking |
| Admin console | Centralised management |
| Account recovery | Admin-assisted recovery for business |
| Dark web monitoring | Credential exposure alerts |
Unique Features
| Feature | Description | Benefit |
|---|---|---|
| VPN | Built-in VPN service | Additional privacy (Premium plans) |
| Passwordless | Machine-generated passwords | Eliminate master password risk |
| Nitro Enclave SSO | AWS confidential computing | True zero-knowledge SSO |
| Password Changer | Automated password rotation (limited sites) | Convenience |
Strengths
- Excellent documentation: 41-page security whitepaper with full cryptographic detail
- Argon2 by default: Modern KDF without user configuration
- Passwordless option: Innovative approach to eliminate master password
- Nitro Enclave SSO: True zero-knowledge enterprise SSO
- Cross-platform: Strong mobile and desktop experience
- VPN included: Additional value in premium tiers
- Nonprofit programme: Discounts available
Limitations
- No Linux desktop: Relies on web vault and browser extension
- No self-host: Cloud-only deployment
- US jurisdiction: Subject to US legal processes
- Higher cost: Premium pricing tier
- Limited file storage: Attachments limited in size
- SSO complexity: Connector deployment for self-hosted option
Suitability Assessment
| Context | Suitability | Rationale |
|---|---|---|
| Single IT person | Medium | Consumer tier works but cost may be high |
| Small IT team | High | Business tier provides good value |
| Established IT function | High | Enterprise features, excellent documentation |
| Data sovereignty requirement | Low | Cloud-only; US jurisdiction |
| High-compliance environment | Medium | SOC 2, PCI-DSS but no FedRAMP |
| Technical users | Medium | No Linux desktop; good CLI |
| Non-technical users | Excellent | Strong UX, VPN simplifies security |
Documentation Quality
| Resource | Quality | Notes |
|---|---|---|
| Security whitepaper | Excellent | Most detailed of any vendor (41 pages) |
| User guide | Good | Comprehensive help centre |
| Admin documentation | Good | Business setup covered |
| API documentation | Good | Developer documentation available |
| Open source | Partial | Mobile apps, extension on GitHub |
Key documentation links:
- Security whitepaper: dashlane.com/download/whitepaper-en.pdf
- Support: support.dashlane.com
- GitHub: github.com/Dashlane
Keeper
Classification: Commercial password manager with enterprise and government focus
Version assessed: Vault 17.4.1, Browser 17.5 (January 2026)
Website: keepersecurity.com
Overview
Keeper positions itself for enterprise and government markets, achieving FedRAMP High authorisation (December 2025) and FIPS 140-3 compliance. The platform extends beyond password management into privileged access management (KeeperPAM), secrets management, and connection management.
Recent development (2025) introduced Keeper Forcefield, an anti-infostealer technology that protects credentials even if a device is compromised by malware.
Technical Architecture
+-------------------------------------------------------------------+| KEEPER ARCHITECTURE |+-------------------------------------------------------------------+| || +---------------------------+ +---------------------------+ || | USER DEVICE | | KEEPER CLOUD | || | | | (AWS multi-region) | || | +-------------------+ | | | || | | Keeper Client | | | +-------------------+ | || | | | | | | Auth Service | | || | | +---------------+ | | | | (PBKDF2 auth | | || | | | PBKDF2 1M | | | | | token) | | || | | | iterations | | | | +-------------------+ | || | | +---------------+ | | | | || | | | | | +-------------------+ | || | | +---------------+ | | | | Encrypted Records | | || | | | AES-256-GCM | | | | | (per-record keys) | | || | | | per-record | | | | +-------------------+ | || | | +---------------+ | | | | || | | | | | +-------------------+ | || | | +---------------+ | | | | KeeperPAM | | || | | | Key Hierarchy:| | | | | (privileged | | || | | | Record Key | | | | | access mgmt) | | || | | | -> Data Key | | | | +-------------------+ | || | | | -> MP Key | | | | | || | | +---------------+ | | | +-------------------+ | || | | | | | | GovCloud Option | | || | | +---------------+ | | | | (FedRAMP High) | | || | | | SSO: ECC-256 | | | | +-------------------+ | || | | | (passwordless)| | | | | || | | +---------------+ | | +---------------------------+ || | +-------------------+ | || +---------------------------+ || |+-------------------------------------------------------------------+Figure 8: Keeper architecture showing key hierarchy and GovCloud option
Encryption Model
Keeper uses a hierarchical key structure:
| Layer | Algorithm | Purpose |
|---|---|---|
| Record keys | AES-256-GCM | Encrypt individual records |
| Folder keys | AES-256-GCM | Encrypt folder structure |
| Data key | AES-256-GCM | Wrap record and folder keys |
| Master password key | PBKDF2 (1,000,000 iterations) | Derive from password |
| Authentication | PBKDF2 (1,000,000) + HMAC-SHA256 | Separate from encryption |
| Transmission | AES-256 + TLS | Additional layer during transit |
| SSO | ECC-256 (secp256r1) | Passwordless device keys |
Key derivation detail:
# Encryption key derivationSalt: 128-bit randomIterations: 1,000,000Algorithm: PBKDF2-HMAC-SHA256Output: 256-bit Master Password Key
# Authentication key (separate)Iterations: 1,000,000Algorithm: PBKDF2-HMAC-SHA256Then: HMAC-SHA256 for auth tokenSSO without master password:
When SSO is configured, Keeper uses ECC-256 device keys instead of master password:
- Eliminates master password attack vector entirely
- Device key stored in secure hardware where available
- Key rotation managed by administrator
Compliance Certifications
Keeper has the strongest compliance portfolio among assessed solutions:
| Certification | Status | Date |
|---|---|---|
| SOC 2 Type II | Certified | Current |
| SOC 3 | Certified | June 2025 |
| FedRAMP High | Authorised | December 2025 |
| GovRAMP | Authorised | Current |
| FIPS 140-3 | Certified | Current |
| ISO 27001 | Certified | Current |
| ISO 27017 | Certified | Current |
| ISO 27018 | Certified | Current |
| PCI DSS | Compliant | Current |
Platform Support
| Platform | Application | Notes |
|---|---|---|
| Chrome | Extension | Full features |
| Firefox | Extension | Full features |
| Safari | Extension | Full features |
| Edge | Extension | Full features |
| Windows | Desktop app | Full features |
| macOS | Desktop app | Full features |
| Linux | Desktop app | Full features |
| iOS | Native app | Full features |
| Android | Native app | Full features |
| CLI | Commander CLI | Scripting and automation |
| Web | keepersecurity.com/vault | Full access |
Enterprise and Government Features
| Feature | Capability |
|---|---|
| SSO integration | SAML 2.0, OIDC, passwordless SSO |
| SCIM provisioning | Automatic user lifecycle |
| KeeperPAM | Privileged access management |
| Secrets Manager | Machine secrets management |
| Connection Manager | Secure remote access |
| BreachWatch | Dark web monitoring |
| Advanced reporting | Compliance and security reports |
| GovCloud | FedRAMP High environment |
| Event logging | Detailed audit trails |
| SIEM integration | Event streaming |
Unique Features
| Feature | Description | Benefit |
|---|---|---|
| FedRAMP High | US government authorisation | Required for federal contracts |
| Keeper Forcefield | Anti-infostealer technology | Malware protection |
| KeeperPAM | Integrated PAM solution | Single platform for passwords and privileged access |
| Password rotation | Automated credential rotation | Reduce credential age |
| Secrets Manager | Machine-to-machine secrets | Developer workflow |
Strengths
- Compliance leadership: Only solution with FedRAMP High in this assessment
- Government ready: GovCloud, FIPS 140-3, extensive certifications
- Enterprise depth: PAM, secrets management, connection management
- Security features: Forcefield anti-malware, BreachWatch
- Linux support: Full desktop application
- High iteration KDF: 1,000,000 PBKDF2 iterations
- Nonprofit programme: Discounts available
Limitations
- No self-host: Cloud-only deployment
- US jurisdiction: Subject to US legal processes (though GovCloud option)
- Complexity: Many products can be confusing
- Premium pricing: Enterprise-focused pricing
- Limited FOSS visibility: Closed source
Suitability Assessment
| Context | Suitability | Rationale |
|---|---|---|
| Single IT person | Low | Enterprise pricing and features |
| Small IT team | Medium | May be overspecified |
| Established IT function | High | Full enterprise features |
| Data sovereignty requirement | Low | Cloud-only; US company |
| High-compliance environment | Excellent | FedRAMP High, FIPS 140-3 |
| Government organisation | Excellent | GovCloud option |
| Technical users | High | CLI, Secrets Manager, PAM |
| Non-technical users | High | Good UX despite enterprise focus |
Documentation Quality
| Resource | Quality | Notes |
|---|---|---|
| Encryption documentation | Excellent | Detailed model documentation |
| Admin documentation | Excellent | Comprehensive enterprise guidance |
| Compliance documentation | Excellent | Audit reports and certifications |
| API documentation | Good | REST API reference |
| User documentation | Good | Help centre coverage |
Key documentation links:
- Encryption model: docs.keeper.io/enterprise-guide/keeper-encryption-model
- Security and compliance: keepersecurity.com/security
- Documentation: docs.keeper.io
Implementation Considerations
Deployment Decision Framework
Data sovereignty required? | +----------------+----------------+ | | [Yes] [No] | | +-------+-------+ +-------+-------+ | | | | v v v v+--------------+ +--------------+ +---------------+ +--------------+| Local Only | | Self-Hosted | | Enterprise | | SMB / || (Air-gapped) | | (On-Prem) | | Compliance | | Cloud |+------+-------+ +------+-------+ +-------+-------+ +------+-------+ | | | | v v v v+--------------+ +--------------+ FedRAMP required? +------------+| KeePassXC | | Bitwarden | | | Bitwarden |+--------------+ | or | +----+----+ | (Cloud) | | Passbolt | | | | or | +--------------+ [Yes] [No] | 1Password | | | +------------+ v v +----------+ +-----------+ | Keeper | | 1Password | | GovCloud | | Dashlane | +----------+ | Keeper | +-----------+Figure 9: Decision framework for password manager selection
Migration Planning
When transitioning between password managers:
| Phase | Activities | Duration |
|---|---|---|
| Assessment | Export current credentials; identify sharing patterns; document custom fields | 1-2 weeks |
| Pilot | Deploy new solution to IT team; validate import; test critical workflows | 2-4 weeks |
| Staged rollout | Department by department; training; support capacity | 4-12 weeks |
| Coexistence | Run both systems; gradual migration of credentials | 2-4 weeks per department |
| Decommission | Verify complete migration; revoke old system access; secure disposal | 1-2 weeks |
Import format compatibility:
| From | To Bitwarden | To Passbolt | To 1Password | To Dashlane | To Keeper |
|---|---|---|---|---|---|
| Bitwarden | N/A | Yes (JSON) | Yes | Yes | Yes |
| Passbolt | Yes (CSV) | N/A | Yes (CSV) | Yes (CSV) | Yes (CSV) |
| KeePassXC | Yes (KDBX) | Yes (CSV) | Yes (KDBX) | Yes (KDBX) | Yes (CSV) |
| 1Password | Yes (1PIF) | Yes (CSV) | N/A | Yes | Yes |
| Dashlane | Yes | Yes (CSV) | Yes | N/A | Yes |
| Keeper | Yes | Yes (CSV) | Yes | Yes | N/A |
| LastPass | Yes | Yes (CSV) | Yes | Yes | Yes |
| Chrome | Yes | Yes (CSV) | Yes | Yes | Yes |
Organisational Context Recommendations
For organisations with limited IT capacity
Recommended: Bitwarden (cloud) or 1Password
Rationale:
- Minimal operational overhead
- Good free/nonprofit tiers
- Intuitive user experience reduces support burden
- No infrastructure to manage
Implementation approach:
- Start with browser extension deployment
- Import from browser password storage
- Enable MFA for all users
- Implement shared collections for team credentials
- Document emergency access procedures
For organisations with data sovereignty requirements
Recommended: KeePassXC (local) or Bitwarden/Passbolt (self-hosted)
Rationale:
- Complete control over data location
- No third-party access
- Audit trail under organisational control
Implementation approach:
- KeePassXC: Establish secure sync mechanism (Syncthing recommended)
- Self-hosted: Deploy on organisational infrastructure
- Document backup and recovery procedures
- Consider key file distribution for additional security
For high-compliance environments
Recommended: Keeper (especially for FedRAMP) or 1Password
Rationale:
- Comprehensive compliance certifications
- Audit-ready documentation
- Enterprise policy controls
Implementation approach:
- Review compliance requirements against vendor certifications
- Configure policies to meet control requirements
- Enable comprehensive audit logging
- Integrate with SIEM for monitoring
- Document evidence collection procedures
For technical teams
Recommended: Bitwarden or KeePassXC
Rationale:
- Open source transparency
- CLI tools for automation
- Self-host option for control
- SSH key management
Implementation approach:
- Deploy CLI alongside GUI applications
- Integrate with development workflows
- Configure SSH agent (where supported)
- Establish secrets management practices for CI/CD
Procurement Checklist
Pre-Procurement
| Item | Questions to answer |
|---|---|
| Requirements | What credentials need management? Who needs access? What sharing patterns exist? |
| Constraints | Data sovereignty requirements? Compliance mandates? Budget limitations? |
| Scale | Number of users? Growth projections? |
| Integration | Identity provider in use? SIEM deployed? Browser standards? |
| Existing tools | Current password storage methods? Migration scope? |
Vendor Evaluation
| Criterion | Weight | Evaluation method |
|---|---|---|
| Security architecture | High | Whitepaper review; third-party audit reports |
| Feature fit | High | Requirements mapping; hands-on trial |
| Platform coverage | Medium | Test on required browsers, devices, OS |
| Administration | Medium | Console walkthrough; policy configuration |
| Migration path | High | Import testing with current data |
| Support model | Medium | Support channel testing; SLA review |
| Cost structure | Medium | Total cost calculation including growth |
| Exit strategy | High | Export testing; contract review |
Trial Period Evaluation
| Week | Focus area | Deliverables |
|---|---|---|
| 1 | Setup and import | Working instance; imported data; basic configuration |
| 2 | Daily use | Auto-fill testing; mobile experience; browser coverage |
| 3 | Administration | Policy configuration; user management; SSO testing |
| 4 | Advanced features | Sharing workflows; emergency access; reporting |
Contract Considerations
| Term | Why it matters |
|---|---|
| Data processing agreement | Required for GDPR compliance |
| Data export rights | Ensure you can leave |
| Uptime SLA | Business continuity |
| Security notification | Breach awareness |
| Audit rights | Compliance verification |
| Price protection | Budget predictability |
| Termination assistance | Smooth exit |
See Also
Identity and Access Management - IAM platforms for SSO integration
Security and Monitoring - SIEM for audit log integration
Access Control Standard - Password policies and requirements
User Onboarding - Credential provisioning procedures
User Offboarding - Credential revocation procedures
Incident Response Framework - Credential breach response