NordPass has made a lot of progress over the past six years since its debut. Originally launched as a barebones password manager for the company to bundle alongside NordVPN, there was never much reason to use it. It lacked features, and even with a solid free plan, you could get better functionality elsewhere. Today, however, NordPass is one of the best password managers on the market.

It’s still missing some features like Time-Based One-Time Password (TOTP) storage that help options like 1Password and Proton Pass shoot ahead of the pack, and it could stand to offer more organization. But the core service of storing and autofilling your passwords is excellent, bolstered by additional features like email masking.

A Great Free Plan

NordPass has a free plan, which is great to see in a post-LastPass world. I prefer Proton Pass for free password managers, mainly due to the fact that it supports cross-device sync. But NordPass still allows you to store unlimited logins and autofill in your browser or on mobile, and you don’t need to enter a credit card to sign up.

The free plan comes with the same backbone as the paid offering, including xChaCha20 encryption and biometric authentication. It technically supports cross-device sync, too, but it’s a little strange. You can access your vault from any device, but unlocking your vault on one device will log you out on another. You can only have one device authenticated at a time.

In addition to extra convenience across devices, the Premium plan has a slew of features, including breach monitoring, a password health dashboard, support for attachment and document storage, sharing capabilities, and email masking. Email masking is one of the biggest features that drew me toward Proton Pass for my personal use—it hides your real email address—and I love that it’s here in NordPass.

Unlike most password managers, NordPass lets you purchase up to two years at a time, though it trades away a monthly option in the process. For a year, you’ll spend about $45, and for two, you’ll spend about $80. Those are renewal prices. Just like NordVPN, there are some big discounts on your initial term. You can pick up an annual plan for $21 for 15 months, or a biennial subscription for $27 for 27 months. That’s the kind of rate we see with Bitwarden, which is one of the more inexpensive options around. Unfortunately, it’s only for the initial term. Upon renewal, NordPass is more expensive than 1Password and Keeper, though it still manages to be cheaper than Dashlane.

NordPass also offers a family plan that comes complete with six accounts; otherwise, it’s identical to the personal plan. Again, you save a lot on the initial term, but the family plan renews at around $72 per year. That’s $12 more expensive than 1Password’s family plan, though a solid $13 cheaper than Keeper’s family offering.

Getting Started

For someone like me, the import process of a password manager is extremely important. I have over 600 entries across logins, credit cards, addresses, notes, and more, and the import process isn’t always as smooth as I’d like. Thankfully, NordPass doesn’t fall into common import pitfalls.

When you first open the extension, NordPass will ask you to import your passwords, and it includes instructions for browsers, including Chrome, Firefox, Safari, and Brave, and other password managers, including LastPass, 1Password, and Dashlane. I imported my passwords from Proton Pass, and NordPass successfully identified all 608 entries without any issues.

The only hurdle I ran into was a two-factor authentication (2FA) code that I had stored with Proton Pass. Unfortunately, NordPass doesn’t support storing TOTP codes, so you’ll need to use a third-party app like Google Authenticator. NordPass still alerted me about this code and suggested setting up another app—a nice touch, even if the lack of TOTP support is disappointing.

Unlike 1Password and its wide range of different entry types, NordPass is reserved. Broadly, you can store logins (including passwords and passkeys), notes, credit cards, addresses, and documents. There aren’t premade entry types for more obscure entries, like SSH keys or medical records, that are available on 1Password.

Thankfully, this doesn’t make much of a difference in practice. You can add custom fields to any entry—formats include text, hidden text, or a date—as well as add notes and attach files. This is all standard fare for most password managers, but one unique addition NordPass includes is a reminder field for documents. If you store your ID or passport in your vault, for example, you can set a reminder for when that document expires.

Rock-Solid Form-Filling

Although NordPass doesn’t come with a lot of preset entry types, that makes navigating your vault much easier. In the web app, you’ll find shortcuts for all the entry types in the left menu. Below them, you can see and organize folders, and below that, you’ll find the email masking, password health, and data breach scanner features.

For organization, you’re limited to folders and the few entry types NordPass supports, which is a shame. The folders work, but you can’t nest folders within each other—you have to stick to broad categories like “personal” and “work” without any further organization—and you can’t tag entries.

Folders do the job, but for someone like me with hundreds of entries, I hoped for more on this front. On the plus side, NordPass’s narrow organization options mean you can easily see different categories and folders in the browser extension. With the dense organization features of a service like 1Password or Proton Pass, you have to open the web app to get a grip on things.

NordPass offers desktop apps for Windows, Linux, and macOS, as well as mobile versions on Android and iOS. But you’ll probably just want to use the browser extension, at least on desktop, which is available on Chrome, Firefox, Safari, Edge, and Brave.

In Chrome, NordPass works a treat. I didn’t have any issues with autofill, and the extension didn’t throw up false negatives on fields it should fill. The only place where NordPass stumbled was in dropdowns. With credit card autofill, NordPass filled text fields without any issues, but it usually missed drop-downs for the expiration date. The same was true for some address fields, though I didn’t run into that issue as often.

You have a lot of control over how autofill works in your browser. NordPass shows up automatically in fields, but you can change the autofill behavior to only show up when you select or hover over a field. There’s also subdomain matching and auto login available, both of which you can disable, along with a list of disabled websites if you want to permanently remove autofill.

On mobile, NordPass works just as well for autofill. You always need some level of tolerance for jank with autofill in mobile browsers, but NordPass didn’t throw up any major red flags during testing. It worked well in applications, and although some fields failed to autofill in Chrome, that’s true of all mobile password managers.

A Unique Cipher

NordPass heavily markets its use of the xChaCha20 cipher for encryption, which helps it stand out among a sea of password managers that largely use AES-256. Both are symmetric ciphers, using a 256-bit key for both encryption and decryption. From that standpoint, they’re equal. xChaCha 20 is at least as secure as AES-256.

However, there’s an argument that xChaCha20 is more secure due to its better safety margins, and there are two reasons for that. First, xChaCha20 is easier to implement, leaving less room for error when it comes to key management. More importantly, in a 2019 paper, Swiss cryptographer Jean-Philippe Aumasson suggested xChaCha20 needed fewer encryption rounds than AES-256 to be secure.

AES-256 is the standard among password managers, and short of a situation like LastPass’s infamous data breach—which involved a series of errors beyond the cipher used—it has proven itself secure. xChaCha20 is at least as secure, and arguably even more.

Although the cipher used for encrypting your vault is symmetric, the authentication method is not. NordPass uses a zero-knowledge security architecture, which has been audited by security firm Cure53, so it doesn’t see or store your master password. An encryption key is derived from your master password for encryption, but for authentication purposes, only you hold the key that unlocks your vault.

NordPass gives you some additional operational security, as well. You can generate a recovery code when you’re logged in, allowing you to access your account in the event you forget your master password, and the applications include auto-lock settings and automatic clipboard clearing. The default auto-lock setting is one week—I’d prefer it to be shorter—but you can autolock as quickly as five minutes if you want.

Nord wasn’t the first to have the idea of building a password manager off of a VPN, and it certainly won’t be the last, but it has come into its own over the last few years. The generous free offering stands out, particularly for LastPass refugees who need cross-device sync without paying for a subscription.

My recommendation for a free password manager is still Proton Pass, but NordPass is a close second. My main issues come down to TOTP code support and the lack of organization options, though the latter may not be as big of a deal if you only have to manage a few dozen or even a hundred entries.