Password Manager Research Program
Lead analyst: Sarah Chen ยทHow we evaluate password managers: the security architecture review, the evidence we collect, and the rubric behind every score.
Research program 10+ products tracked Quarterly cycle
What this program covers
This program evaluates consumer and family password managers. Because the category handles primary authentication secrets, we weight security architecture and audit transparency above convenience or UI polish.
Scoring rubric
| Dimension | Weight | What we measure |
|---|---|---|
| Security Architecture | 30% | Encryption algorithm and key derivation, zero-knowledge claim verification, secret key or passphrase design, server-side data exposure, and the published threat model. |
| Audit & Transparency | 20% | Independent security audits in the last 24 months, bug-bounty scope, incident disclosure history, open-source posture, and clarity of privacy policy. |
| Authentication Coverage | 15% | Passkey support, 2FA method breadth (TOTP, WebAuthn, hardware keys), recovery without knowledge of master password, and emergency access. |
| Sharing & Recovery | 15% | Family or team sharing controls, secure item types, device sync reliability, export formats, and disaster recovery options. |
| Usability & Platform Fit | 10% | Browser autofill accuracy, mobile app quality, cross-platform parity, and onboarding flow for non-technical users. |
| Value & Transparency | 10% | Free tier usefulness, family plan pricing, renewal behavior, and clarity of cancellation. |
Evidence we collect
- Security whitepapers and threat models published by the vendor, cross-checked against current app behavior.
- Independent audit reports from recognized firms, with retrieval dates and scope noted.
- Breach and incident history, including vendor post-mortems and third-party reporting where relevant.
- Hands-on authentication tests โ account creation, passkey add flows, TOTP and WebAuthn setup, cross-device sync, and recovery simulation.
- Pricing and renewal evidence โ captures of free-tier limits, family plan terms, and cancellation flow screenshots.
Products in this program
See the current ranked comparison โ
Update cadence
Quarterly re-evaluation. Immediate updates are triggered by a disclosed breach, a new independent audit, a significant change to the encryption or recovery model, or a material pricing change.
How this category scores changed recently
- Raised weight on passkey coverage as the category standardized on WebAuthn-based sign-in.
- Added explicit evaluation of account recovery without master password knowledge to reflect real-world loss scenarios.
- Expanded breach-history disclosures on each product page to show incident dates and vendor responses.