Bitwarden and Proton Pass: The Free Ones
I have tried probably five or six password managers at this point, and the question that keeps coming up every single time I talk to someone in India about password security is: why would I pay for something like this? And I get it. Paying money for something that sits in the background and fills in login forms feels weird when there are free options. So I spent a long time with the free ones, testing them properly, and I have opinions.
Bitwarden has been my default for the longest stretch. What I actually liked about it from the start was that nobody was trying to sell me anything. You install it, you make an account, and you get unlimited passwords synced across every device you own. Phone, laptop, tablet, browser, all of it. No "free for 30 days" nonsense. No popup every week telling you to upgrade. The free plan is the real product, and it does not feel crippled.
It is open-source, and that matters. The code is available for anyone to examine. Security firm Cure53 ran an independent audit on Bitwarden and published the results publicly. For people who do not know what that means in practice: a group of professional security researchers poked at every part of the software trying to find weaknesses, and then wrote a report about what they found. That level of transparency is unusual. Most password managers ask you to just trust them.
I set Bitwarden up on my parents' phones last Diwali. My father, who struggles with most apps, has not once called me for help with it. The autofill works. He taps a login field, Bitwarden offers the right credentials, he taps to fill, done. That is all he needed to know. My mother took a bit more convincing because she had a system involving a small diary, which I will get to later.
The premium tier runs about 800 rupees a year. For that you get built-in TOTP codes, which means you do not need a separate authenticator app for two-factor authentication. You also get emergency access, where a trusted person can request entry to your vault if something happens to you, and there is a waiting period before access is granted so it cannot be misused. There is support for hardware security keys like YubiKey too. I paid for the premium for one year, realised I was not using any of those features, and went back to free without any issues. No guilt trip from the app, no loss of data, nothing.
Their family plan costs around 2,700 rupees a year for six people. Each person gets their own separate vault, and you can create shared collections for things the whole household needs — the Netflix password, the Wi-Fi login for the router, that sort of thing.
One thing Bitwarden offers that almost nobody else does: self-hosting. You can run the entire Bitwarden server on your own hardware. Your data never touches their cloud. I have not done this myself because maintaining a server sounds like exactly the kind of weekend project I would start and abandon, but I know a couple of developers who run self-hosted instances and are very happy with it. If you have the technical ability and the paranoia to match, the option is there.
What annoyed me about Bitwarden? Small things. The interface looks a bit dated compared to newer tools. The mobile app, while functional, does not feel as smooth as something like 1Password. And the password generator defaults could be stronger out of the box. None of these are real problems, but they are noticeable.
Now, Proton Pass. This comes from the same Swiss company that makes ProtonMail. If you already use their email service, this fits right into your existing account. Proton Pass launched in 2023, so it is newer than most of the competition, and that shows in both good and bad ways.
The good: the free plan gives you unlimited passwords on unlimited devices, just like Bitwarden, and it throws in 10 email aliases. The alias feature is genuinely useful. When you sign up for a new website, instead of giving them your real email address, you generate a random alias through Proton Pass. If that website later gets breached or starts sending you spam, you just delete the alias. Your actual inbox stays clean. I have been using this for random food delivery apps and one-time purchases, and it works well.
The paid plan is about 1,600 rupees a year. Unlimited aliases, dark web monitoring that alerts you if your credentials show up in known breach databases, and their Proton Sentinel feature which adds extra protection for high-risk accounts. If you are already paying for ProtonMail Plus or the Proton Unlimited bundle, Pass is included, so check your existing subscription before paying separately.
What annoyed me about Proton Pass? It is still rough around the edges. The browser extension sometimes takes a beat longer than Bitwarden to pop up with suggestions. Importing passwords from other managers works but the format support is narrower. And the desktop app, while it exists, came later and still feels like it is catching up. I think within another year or two, Proton Pass will be a serious contender at the top of this list. Right now it is very good but not quite as polished.
Before I move on, a quick word about browser-based password managers. Chrome, Edge, and Safari all have built-in password saving. These are fine as a temporary measure. They will generate passwords for you, they sync across your devices if you use the same browser everywhere, and they auto-fill. What they will not do is work across different browsers and platforms smoothly. If you use Chrome on your laptop and Safari on your iPhone, your saved passwords live in two different places. A dedicated manager solves that. Browser password managers are also tied to your Google, Microsoft, or Apple account, which means the security of all your passwords depends entirely on the security of that one account. A dedicated manager adds a separate layer. So if you are currently using Chrome's built-in save, that is not terrible, but moving to Bitwarden or Proton Pass is a meaningful upgrade that takes about ten minutes.
My pick between these two: Bitwarden if you want the thing that has been around longer, has been audited more, and just works without any fuss. Proton Pass if email aliases matter to you and you are already using other Proton services. Both are free, both are good. You are not making a bad choice either way.
1Password: The Paid One Worth Considering
1Password is what I point people towards when they say they do not mind paying for a good experience. There is no free tier. The individual plan starts at roughly 250 rupees a month when billed annually, which works out to about 3,000 rupees a year. For that, you get something that feels noticeably more put together than the free options.
Honestly, the first time I used 1Password after months on Bitwarden, the difference in how the apps felt was obvious. Everything loads faster, the animations are smoother, searching through your vault is instant even with hundreds of entries. It is a small thing but it adds up when you interact with a password manager multiple times a day.
The Watchtower feature scans everything in your vault and flags issues. Reused passwords, weak passwords, accounts where you could turn on two-factor authentication but have not, logins connected to websites that have been involved in known data breaches. When I first turned Watchtower on, it told me I had three accounts sharing the same password and two accounts linked to breached services I had completely forgotten about. That was embarrassing but useful.
What I actually liked about 1Password that I have not found anywhere else is how well it handles non-password data. I keep my PAN card number, passport details, Aadhaar number, voter ID, driving licence number, insurance policy numbers, and various software licence keys in it. All encrypted, all accessible from my phone. The next time I was at a bank branch and someone asked for my PAN, I had it in three seconds instead of rummaging through a folder at home. At the RTO for a driving licence renewal, same thing. Having your identity documents in an encrypted vault you can pull up anywhere is surprisingly practical for Indian bureaucratic life.
The family plan deserves special mention. Five members, each with their own private vault that nobody else can see, plus shared vaults for household credentials. The Wi-Fi password, the streaming service login, the Amazon account, whatever needs to be available to everyone. One person acts as the family organiser and can help recover accounts if someone forgets their master password. I helped a friend set this up for his family. His mother forgot her master password within two weeks. Without the recovery feature, that would have been a long afternoon of resetting every account she had.
On the security side, 1Password uses a system they call the Secret Key. When you create your account, your device generates a long random key in addition to your master password. To decrypt your vault, you need both. This means that even in a scenario where someone broke into 1Password's servers and stole encrypted vault data, they would need your master password and your Secret Key to actually read anything. Most other password managers rely on your master password alone. That extra factor is a genuine advantage.
1Password also passed a security audit by Secfault in 2023, published a detailed security white paper, and runs a bug bounty programme through Bugcrowd. These are the kinds of things that build trust over time.
What annoyed me about 1Password? The lack of a free tier is a barrier for many Indian users. There is no way to use it indefinitely without paying. If your financial situation changes, you either pay or you migrate everything out to a free tool. The 14-day trial is enough to test features, but it is not enough to build a long-term relationship with the product before committing money. Also, the Linux app, while it exists, has historically been a step behind the Windows and Mac versions. If you run Ubuntu or Fedora as your main system, you might notice small delays in feature releases.
Bitwarden vs 1Password? I have gone back and forth myself. Bitwarden wins on price and openness. 1Password wins on polish, family features, and the Secret Key security model. If 3,000 rupees a year does not bother you, 1Password is a very easy recommendation. If you would rather spend nothing and get 90% of the same functionality, Bitwarden is sitting right there.
LastPass: The One I Would Avoid
I used LastPass for about two years. Recommended it to friends. Recommended it to family. It was the first password manager a lot of people in India ever tried, because the free plan was generous and the interface was easy. The name recognition alone carried it for years.
Then 2022 happened, and everything changed.
In August 2022, LastPass disclosed that an attacker had broken into their development environment and stolen source code. The company's initial statement was calm, almost casual. They said no customer data was affected. Lots of companies get hit. These things happen. I did not think much of it at the time.
In December, they updated their statement. Using information from that first intrusion, the same attacker had gained access to cloud storage backups containing customer vault data. Actual password vaults. Encrypted, yes, but now in the hands of someone who should not have them.
What does that mean in practice? It means that somewhere out there, someone has a copy of your password database. The encryption protects you, but only as long as your master password is strong enough to resist brute-force attacks. And here is where it gets worse. Security researcher Wladimir Palant and others dug into the details and found that older LastPass accounts used a low number of PBKDF2 iterations, which is the process that makes it harder to guess your master password through repeated attempts. Some accounts from years ago had as few as 5,000 iterations, when the recommended minimum at the time was 100,000. The default was raised eventually, but users who created their accounts years earlier were never migrated to the stronger setting automatically.
On top of that, website URLs stored in LastPass vaults were not encrypted. Only the passwords and usernames were. So the attacker could see which websites you had accounts on, even without cracking the encryption. If someone knows you have an account at a particular bank or a particular health service, that information alone has value.
What bothered me more than the breach itself was the communication. Every update from LastPass revealed the situation was worse than the previous update had suggested. It felt like the company was managing its own reputation first and informing its users second. The security community reacted badly. Jeremi Gosney, a well-known password security expert, published a detailed breakdown calling the handling "a masterclass in how not to do incident response." Multiple security professionals publicly recommended moving away from LastPass entirely.
There is also the business model issue. In 2021, before the breach, LastPass restricted its free plan so you could only use it on one type of device. Either mobile or desktop, not both. If you wanted sync across your phone and your computer, you needed to pay about 2,800 rupees a year. For that price, you are in the same range as 1Password, which has never had a breach of this nature. Bitwarden gives you more than the old LastPass free plan used to offer, and it costs nothing.
I am not saying nobody should ever use LastPass again. The company has made changes since the breach. They raised the default iteration count, they brought in new security leadership, they hired external auditors. But trust, once broken this badly, is hard to rebuild. There are better options available for both free and paid users. I migrated away the week the December disclosure came out, and I have not looked back.
If you are still using LastPass and you are reading this, the migration is not hard. Export your vault as a CSV file from the LastPass web interface (go to Advanced Options, then Export). Import that file into Bitwarden or 1Password. Delete the CSV file from your computer immediately after, because it contains all your passwords in plain text. Empty your recycle bin too. The whole process takes about fifteen minutes. Then go change the passwords for your most sensitive accounts: your primary email, your bank, and your UPI apps. Those should be unique and strong.
The Password Notebook Argument (My Mother's Strategy)
My mother keeps her passwords in a small notebook she stores in her cupboard. I spent months trying to get her to switch to Bitwarden. She listened politely every time and then continued writing passwords in her notebook. Eventually I stopped pushing.
And you know what? Her system is not terrible.
A physical notebook cannot be hacked remotely. It cannot be part of a data breach. Nobody in Romania or North Korea is going to brute-force a diary sitting in a cupboard in Pune. The attack surface is limited to someone physically breaking into the house and knowing to look for a small blue notebook wedged between saree stacks. The threat model, for someone like my mother who does not travel much and lives in a house with family, is actually quite narrow.
The problems with notebooks are real though. If the house floods or there is a fire, the notebook is gone. If someone visits and the notebook is lying out on the desk, anyone can glance at it. There is no backup unless you photocopy every page (and then where do you keep the photocopy?). And if you have more than twenty or thirty accounts, finding the right password means flipping through pages, which gets old quickly.
My mother has maybe eight accounts total. Her email, one banking app, one UPI app, a couple of shopping sites, and a few she cannot remember what they are for. For that number, a notebook works. She writes clearly, she keeps it in the same place every time, and she knows where to find what she needs. Her risk of being involved in a credential-stuffing attack because she reused a password across forty websites is basically zero, because she does not have forty accounts.
For anyone reading this who has older family members using a similar system, my advice is: do not dismiss it outright. If the person has a small number of accounts, keeps the notebook secure, and is unlikely to adopt a digital tool willingly, a notebook is better than the alternative you fear most, which is that they use the same simple password everywhere because they cannot remember different ones. The notebook at least allows for different passwords per service.
That said, if you have more than a handful of accounts, a digital password manager is the clear choice. The auto-generation of long, random passwords alone is worth it. A notebook user will almost always write down passwords they can remember, which means shorter and simpler passwords. A manager generates things like "x7$mQ9vLp2#nWk" without blinking, and you never need to remember it because the software handles recall. Auto-fill means you do not even need to type it. And if a service you use gets breached, the manager can tell you immediately which accounts are affected, while a notebook has no way of doing that.
There is a middle-ground approach I have seen a few people use. They keep a password manager for most of their accounts but write down the master password on paper stored somewhere safe. That way, even if they forget the one password that controls everything, it is recoverable. Not a bad idea, especially for people who worry about being locked out entirely if they forget the master password. Just do not store that paper next to the computer or stick it to the monitor.
I should also say a word about autofill setup, since it trips people up sometimes. On Android, after installing Bitwarden or 1Password, you need to go into your phone's settings and tell the system to use that app for autofill. The location varies: on stock Android, it is under Settings, System, Languages and Input, Autofill Service. On Samsung, it is buried under General Management, Passwords, Passkeys, and Autofill. On Xiaomi devices, it is somewhere else entirely. Once set, any time you tap a login field in any app or browser, the password manager pops up and offers to fill in the right credentials. On iOS, go to Settings, Passwords, Password Options, and enable your manager under "Allow filling from." Turn on Face ID or Touch ID for quick unlocking.
After the initial setup, the password manager mostly runs itself. When you log into a site it does not recognise, it asks if you want to save the credentials. When you create a new account somewhere, it offers to generate a strong password. Over a couple of weeks, your vault fills naturally. Then, when you have some time, go through Watchtower (in 1Password) or the vault health reports (in Bitwarden) and start replacing your weakest and most reused passwords. Prioritise your primary email account, your bank login, and whatever UPI app you use. Those three are the most dangerous to lose access to. Everything else can happen at your own pace.
Honestly, the best password manager is the one you will actually use. I have friends who set up Bitwarden and then never opened it again. That is worse than using a notebook. Just pick one, move your passwords in, and let it do its job.
Comments (0)