Three open-source password managers that respect your privacy

Share this page

Passwords are designed to protect one thing: your online security. Weak passwords pose a serious threat to your online security — once a hacker gains access to your online accounts, they can impersonate you online, steal your financial data, or sell your private information to hostile third parties. 

Strong passwords are the first line of defense against unauthorized access to your online accounts, and by extension, your personal data. 

Sometimes, even if your password is strong, it can be compromised through no fault of your own (such as in the event of a massive data breach). This is why top security researchers recommend using different passwords for different sites, so if one of your accounts is compromised, your personal information in other accounts remains safe. 

However, juggling lengthy and complex passwords for different accounts is impractical without some help. A password manager eliminates this problem by remembering your passwords for you. 

In this article, we look at how password managers work, the factors to consider when choosing one, and recommend three password managers that respect your privacy. 

How a password manager works

A password manager is a program that generates and stores login credentials associated with online accounts. When you first create an online account, a password manager will prompt you to enter a strong and unique password or generate one for you. Once you’ve created the password, the password manager saves the entry in an encrypted vault and allows you to sign in to the same account in the future without hassle. 

Instead of memorizing numerous passwords, you only have to remember one: a master password that enables you to sign in to your password manager. A password manager makes it easy to practice good security hygiene without compromising your online privacy. 

Most password managers also have an autofill feature that automatically selects the relevant password based on the website you are visiting. If you try to log in to an existing account and your password manager does not autofill your login credentials, you may be visiting a spoofed website. Password managers safeguard your security by ensuring that you do not give out your login credentials to malicious websites. 

How to choose a password manager

You can significantly bolster the security of your passwords and online information by investing in a good password manager that puts your privacy and security first. Here are some factors to consider when picking a password manager: 

End-to-end encryption

Since the primary purpose of a password manager is to keep your passwords and login credentials safe, it has to be built with robust encryption protocols. End-to-end encryption (E2EE) is a powerful method of encrypting data so that only the intended recipient — in this case, you — can decrypt it with the master password. 

E2EE is especially crucial in password managers that employ cloud services to sync information across different platforms and devices. Since your passwords are stored in the cloud, they are exposed to the possibility of hacks and data breaches. However, if they are end-to-end encrypted, nobody can decrypt them unless they also have access to your master password. This means that your encrypted passwords remain safe even if your password manager’s cloud service suffers a data breach. 

Password managers use several encryption techniques to secure your data. Two of the most common are:


AES-256 is a block cipher that employs symmetric key exchange, meaning the same key is used to encrypt and decrypt your data. With a key length of 256 bits, AES-256 is virtually impenetrable. Using brute force methods, it would take a computer billions of years to break the encryption.

AES was chosen as the winner after being submitted as an entry to a worldwide cipher competition hosted by the National Institute of Standards and Technology (NIST) in 1997. Today, it is the cipher of choice for government and commercial use.


Similar to AES, Twofish is an encryption standard invented by cryptography expert Bruce Schneier and uses symmetric key exchange. Twofish was selected as one of five finalists in the 1997 NIST competition but has received less scrutiny since. 


A hash function is an algorithm that maps any amount of data into a string of letters and numbers of a fixed length. Hashing is a type of one-way encryption that is almost impossible to break. 

However, hashing works in a consistent way (e.g., the word “Hello” will always correspond to a hash made up of the same combination of numbers and letters). Most password managers don’t store your master password but a hash of it. Every time you log in, it hashes the password you enter and compares it to the hash it has on file. If they match, you can log in. SHA-256 is currently the most popular secure hashing algorithm. 


While hashing is extremely difficult to break, it can be done given enough time and computing power. However, password managers can “salt” your password, a process used to add a random piece of data to your password to prevent rainbow attacks

To salt a password, password managers use a cryptographic method known as a key derivation function. A key derivation function consists of a salt (a random piece of data) and iteration counts (the number of rounds needed to hash a password). 

Key derivation functions are designed to intentionally take up computational resources to increase the length of time needed to crack a password. The higher the iteration counts, the longer it takes to complete a hashing operation. As such, key derivation functions with high iteration counts effectively mitigate against brute-force attacks.

Key derivation functions also ensure that each password has a unique hash value, even if two passwords are exactly the same. For example, if you choose the same password as someone else, both of you would end up with the same hash. However, if your password manager salts your password, it adds a different random piece of data to each password, creating two distinct and unique hashes. 

PBKDF2, AES-KDF, and Argon2 are popular key derivation functions. 

Open source

Password managers that are open source promote trust and transparency. They enable you to inspect the source code and ensure that the security features are implemented correctly. Since open-source software is collaborative, any security expert can submit bug fixes, helping solve vulnerabilities faster. Open-source software has also been shown to be more secure than proprietary software.

Password generator

A password generator saves you the trouble of having to come up with a strong and unique password yourself. Most password managers come equipped with a generator that will automatically create a strong password for you.

Two-factor authentication

Two-factor authentication (2FA) provides an additional layer of security by requiring a second round of verification before you can access your password manager. 2FA is usually implemented on a mobile device, most commonly through an authenticator app. If your master password is compromised, it is unlikely for a hacker to gain access to your passwords unless they also have the second piece of information (i.e., physical access to your mobile) needed to complete the 2FA process. 


The password manager you choose can have a significant impact on your online security. You can protect the integrity of your passwords by using one of the following recommendations, which are all open source and end-to-end encrypted. 



  • Free
  • E2EE: AES-256 or Twofish (Additional options available via plugins)
  • Password hash: SHA-256
  • Password salt: AES-KDF, Argon2 (Iteration counts can be configured) 
  • Available on: Windows (unofficial versions for Linux, macOS, Android, and iOS)
  • Complete database encryption 
  • Available on major platforms
  • Two-factor authentication
  • Customizable password generator


  • Outdated user interface
  • Can be tricky to set up
  • Browser integration only available through plugins

KeePass is a lightweight password manager that boasts a customizable, built-in password generator. Unlike other password managers, KeePass encrypts not only your passwords but also your usernames, URLs, and notes in a database. The database can then be protected with a combination of your master password and an encrypted key file. 

Even though KeePass is a standalone app and does not rely on third-party hosting services, encrypted key files can still be shared across devices using file-sharing apps and cloud services, such as Dropbox. This ensures continual access to your passwords even if you are signing in from another device. 



  • Free plan available
  • Open source
  • E2EE: AES-256
  • Password hash: SHA-256
  • Password hash: PBKDF2 (100,001 iterations on client-side, 100,000 iterations on server-side. Client-side iteration count can be configured.)
  • Available on: Windows, macOS, Linux, iOS, Android, and as a browser plugin
  • Self-hosting option
  • Easy-to-use desktop and mobile apps
  • Cross-platform synchronization
  • Two-factor authentication
  • Password generator


  • Autofill feature requires improvement

Bitwarden is a password manager that encrypts your data and stores it on the Bitwarden cloud by default. However, if you want to retain more technical control, a self-hosting option is available.

Similar to KeePass, Bitwarden offers a free tier that includes a customizable password generator and unlimited vault entries. For an annual subscription of $10, you can attach up to 1 GB of encrypted files, generate vault health reports, and receive additional 2FA options with YubiKey, U2F, and Duo. Besides personal plans, Bitwarden also offers team plans targeted at businesses and enterprises. 



  • Open source
  • Free plan available
  • E2EE: AES-256
  • Password hash: SHA-256
  • Password salt: PBKDF2 (Iteration counts can be configured)
  • Available on: Windows, Mac, Linux, iOS, and Android 
  • Ability to store attachments
  • Passwords sharing
  • Browser extensions on Google Chrome and Firefox
  • Easy-to-use apps on major platforms
  • Password generator


  • Two-factor authentication only available on paid plans

Though a newcomer to the industry, Padloc is an intuitive password manager built on the premise of simplicity and usability. While Padloc features a free plan that can store up to 50 items and connect up to two devices, the Premium plan unlocks advanced features such as 2FA and 1 GB of encrypted file storage. 

Padloc also offers browser extensions for Chrome and Firefox that allow you to access and manage your passwords directly from your browser. It automatically finds relevant entries based on the website you are visiting. Nonetheless, Padloc does not offer 2FA unless you pay for the Premium plan.

While there are many password management solutions on the market, these three open-source password managers can be trusted to keep your passwords safe by providing true end-to-end encryption. Combined with 2FA, they drastically reduce the possibility of anyone gaining access to your passwords and online accounts. If you wish to further protect your online privacy and security, you can also sign up for a free Proton Mail account.


What is the most secure way to keep passwords?

The most secure way to keep passwords is to use a password manager that uses end-to-end encryption. End-to-end encryption secures your data in a way that ensures nobody else can access your passwords except you. 

As an added bonus, it is also worth picking a password manager that is open source and supports two-factor authentication. Open-source software is fully transparent and allows independent reviewers to verify the integrity of the code. At the same time, two-factor authentication provides an added boost of security by requiring a second form of identification. 

Is it safe to use a password manager?

While password managers that rely on third-party hosting services can be breached, this should not pose a problem if the data is end-to-end encrypted. This means that even if a hacker gained access to your passwords, they would not be able to decrypt them unless they also knew your master password. This makes end-to-end encrypted password managers safe to use. 

Password managers that are self-hosted are also extremely safe since you retain full control of your servers and security protocols. 

Should I store my passwords in my web browser?

Most web browsers come equipped with a password management feature, though they are by no means secure. Passwords stored in a web browser are not encrypted and can be read by anyone who has access to your laptop. 

Instead of using your web browser to store your passwords, opt for an end-to-end encrypted password manager. End-to-end password managers offer a high level of security while still prioritizing ease of use and convenience. 

Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit.

Join the Proton ecosystem
Create a free account

Share this page

Related articles

Over 300 billion emails are sent and received daily around the world, making it one of the most popular forms of communication. However, most modern email providers, such as Gmail or Outlook, do not adequately protect your emails.  Gmail stopped rea
Your calendar is more than just a planning tool — it’s a record of your life. It lists what you’ve done, where you’ve been, and who you’ve met. This information deserves the same level of protection as your email and files, which is why we created Pr
Everyone has files that need to be encrypted. From intimate personal details to legal and financial documents, your files contain information that should be private and secure. But many internet services we all use every day are not private. Compani
For years, Apple watched Google and Meta make billions by collecting every scrap of people’s data to target them with ads. Now it appears it was just taking notes. Apple’s advertising operation follows the surveillance capitalism model of its rivals
When we launched Proton Drive two months ago, we wanted to create a truly private and secure cloud storage service. An encrypted cloud that allows anyone on the internet to safely store, access, and share their files without worrying about unauthoriz
From our initial crowdfunding campaign to the recent launch of our encrypted cloud storage service Proton Drive, Proton has always been supported by the community. Your feedback tells us what new features to develop and which we should improve.  For