Best Open Source Password Managers in 2026

TL;DR

1Password charges $3–8/user/month and LastPass has a troubled security history (two major breaches in 2022). Vaultwarden is the best self-hosted password manager — it's a lightweight Bitwarden-compatible server that gives every team member access to all Bitwarden premium features for the cost of a VPS. KeePassXC wins for users who want a zero-server, local-only solution. Passbolt is the right choice for enterprise teams that need GPG-based sharing with LDAP integration.

Key Takeaways

Vaultwarden (GPL-3.0, 39K+ stars) runs on 50 MB RAM and unlocks all Bitwarden premium features (TOTP, WebAuthn, organizations) for free
KeePassXC (GPL-2.0, 20K+ stars) stores credentials in an encrypted local file — no server, no sync, no attack surface
Passbolt (AGPL-3.0, 4.5K+ stars) uses GPG for end-to-end encrypted team password sharing with full audit logs
Bitwarden (cloud, AGPL-3.0) remains the best option for teams that want managed hosting without self-hosting complexity
LastPass's 2022 breach exposed encrypted vaults — understanding vault architecture matters when choosing a provider
Self-hosting Vaultwarden costs $54–72/year vs $360–480/year for 1Password Teams at 10 users

Why Password Manager Security Architecture Matters

The LastPass breach of 2022 is the case study every password manager comparison should reference. The attackers obtained encrypted vaults, metadata, and the encrypted master password derivation. Users who had short or weak master passwords were at risk of having their vaults decrypted offline.

The security lesson: the primary attack vector for cloud-based password managers isn't the encryption algorithm — it's the exposure of encrypted vault data. Once an attacker has your encrypted vault, they have unlimited time for offline brute force.

Self-hosted password managers don't eliminate this risk, but they dramatically change the attack surface. An attacker has to breach your specific VPS, not a service storing millions of vaults. If you run Vaultwarden with proper firewall rules (limiting access to your home IP, VPN, or internal network), the vault is not reachable from the public internet at all.

Vaultwarden — Best Self-Hosted Option

Vaultwarden is an unofficial Bitwarden server written in Rust. It implements the Bitwarden server API, which means every official Bitwarden client — iOS, Android, Chrome, Firefox, Edge, the desktop apps — connects to Vaultwarden without modification. Users download Bitwarden from the App Store and point the server URL to your Vaultwarden instance.

The premium features unlocked by Vaultwarden are the main reason teams choose it over the official Bitwarden server. Bitwarden's paid Cloud plan ($3–5/user/month) unlocks TOTP (2FA code generation), emergency access, and encrypted file attachments. Vaultwarden enables all of these features by default for every user at no additional cost.

The resource efficiency is remarkable. Vaultwarden's Docker image is under 30 MB and runs on 50 MB of RAM at idle. Compare that to the official Bitwarden server, which deploys 10+ Docker containers and requires 2+ GB RAM. A cheap $6/month VPS comfortably handles a 50-person organization.

# docker-compose.yml — complete Vaultwarden setup
services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    environment:
      - DOMAIN=https://vault.yourdomain.com
      - SIGNUPS_ALLOWED=false  # Disable public registration
      - ADMIN_TOKEN=your-admin-token  # openssl rand -base64 48
      - SMTP_HOST=smtp.yourprovider.com
      - SMTP_FROM=vault@yourdomain.com
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - SMTP_USERNAME=vault@yourdomain.com
      - SMTP_PASSWORD=your-smtp-password
    volumes:
      - vaultwarden_data:/data
    ports:
      - "80:80"
volumes:
  vaultwarden_data:

Hardening notes: Disable public signups (SIGNUPS_ALLOWED=false) immediately after creating your accounts. Restrict access to the admin panel by IP. Run behind a reverse proxy (Caddy or Nginx) with Let's Encrypt SSL. Enable 2FA for all accounts.

Key features:

All Bitwarden clients work without modification
TOTP/2FA code storage and generation
WebAuthn and YubiKey support
Organization password sharing
Encrypted file attachments
Emergency access
Admin panel for user management
Sends (secure encrypted sharing)
50 MB RAM footprint

KeePassXC — Best Offline-Only Solution

KeePassXC takes the opposite architectural approach from Vaultwarden: there is no server. Your credentials are stored in an encrypted .kdbx database file on your local device. The file uses AES-256 encryption with Argon2 key derivation — both are the strongest available for this use case.

No server means no network attack surface. The .kdbx file can be synced across devices using any service you already trust — Nextcloud, Syncthing, iCloud Drive, or an encrypted S3 bucket. You control the sync mechanism entirely.

KeePassXC's browser extension (available for Chrome, Firefox, and Edge) handles auto-fill for websites. The SSH agent integration is particularly useful for developers: store SSH private keys in your KeePass database and let KeePassXC load them into ssh-agent automatically when you unlock the database.

# KeePassXC is a desktop app — install via:
# macOS: brew install --cask keepassxc
# Ubuntu: sudo apt install keepassxc
# Windows: winget install KeePassXC

The sync workflow: Create a KeePassXC database, save it to a folder synced by Syncthing or Nextcloud, and open it on each device. Conflicts are rare (the .kdbx format handles simple merges) but can occur if you modify the database on multiple devices simultaneously. Most teams use a master device for writes and others for read-only access.

Key features:

Local encrypted database (no server)
AES-256 + Argon2 encryption
Browser auto-fill extension (Chrome/Firefox/Edge)
SSH agent integration
TOTP generation
Sync via any file sync service
KeePass 2 database format compatibility
Cross-platform (Windows, macOS, Linux)
Offline operation (works without internet)

Limitations: No native mobile app (though KeePassDX on Android and Strongbox on iOS open .kdbx files). Multi-user sharing requires careful sync management. There's no audit trail for organizational use.

Passbolt — Best for Enterprise Teams

Passbolt is built specifically for teams that need GPG-encrypted password sharing with organizational controls. Every user has a GPG key pair. When a password is shared with a user, it's encrypted specifically for that user's public key — even the server administrator cannot decrypt individual credentials.

This architecture provides end-to-end encryption for team password sharing that Vaultwarden's organization feature doesn't achieve by default. In Vaultwarden, organizational vault entries are encrypted with a shared key that the server can decrypt. In Passbolt, each share is encrypted individually per recipient.

Passbolt's audit log records every access, share, and modification with timestamps. For compliance requirements (SOC 2, ISO 27001), this audit trail provides evidence that credential access is controlled and monitored.

# Passbolt Community Edition Docker Compose
services:
  db:
    image: mariadb:10.11
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: passbolt
      MYSQL_USER: passbolt
      MYSQL_PASSWORD: your-db-password
    volumes:
      - passbolt_db:/var/lib/mysql
  passbolt:
    image: passbolt/passbolt:latest-ce
    environment:
      - APP_FULL_BASE_URL=https://passbolt.yourdomain.com
      - DATASOURCES_DEFAULT_HOST=db
      - DATASOURCES_DEFAULT_PASSWORD=your-db-password
      - EMAIL_TRANSPORT_DEFAULT_HOST=smtp.yourprovider.com
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    ports:
      - "443:443"
volumes:
  passbolt_db:
  gpg_volume:
  jwt_volume:

Passbolt has LDAP/Active Directory integration in its Pro edition, making it suitable for organizations that provision user access through directory services.

Key features:

GPG end-to-end encryption per share
Browser extension for auto-fill
Team folder sharing
Audit logs (all access events)
LDAP/AD integration (Pro)
API access for automation
Role-based access control (admin, manager, user)
Secret sharing expiration

Full Comparison

Feature	Vaultwarden	KeePassXC	Passbolt	Bitwarden Cloud
Server Required	✅	❌	✅	Managed
Min RAM	50 MB	N/A (desktop)	512 MB	Managed
E2E Encryption	Vault-level	File-level	Per-share GPG	Vault-level
Mobile Apps	✅ (Bitwarden)	Via 3rd party	✅	✅
Browser Extension	✅ (Bitwarden)	✅	✅	✅
TOTP Storage	✅	✅	✅	Paid plan
Team Sharing	✅	Manual sync	✅ (GPG)	✅
LDAP/SSO	Limited	❌	✅ Pro	Paid plan
Audit Logs	Limited	❌	✅	Paid plan
License	GPL-3.0	GPL-2.0	AGPL-3.0	AGPL-3.0

Choosing the Right Tool

Choose Vaultwarden if: You want the best balance of features, usability, and cost. Bitwarden's mobile and browser apps are excellent, and Vaultwarden unlocks all premium features for free.

Choose KeePassXC if: You want zero server infrastructure and are comfortable managing file sync yourself. Best for individual developers and small teams with high security requirements.

Choose Passbolt if: You're in a regulated environment that requires GPG-based per-user encryption, audit trails, and LDAP integration.

Choose Bitwarden Cloud if: You want professional managed hosting with SLA guarantees and don't want to manage server infrastructure.

Cost Comparison

Team Size	1Password Teams	Vaultwarden (VPS)	Annual Savings
10 users	$480/year	$72/year	$408
50 users	$2,400/year	$72/year	$2,328
100 users	$4,800/year	$144/year	$4,656

Vaultwarden's server cost doesn't scale with users — 10 users and 100 users pay the same VPS bill.

The SaaS-to-Self-Hosted Migration Guide (Free PDF)