AES-256 vs. XChaCha20 — does the cipher choice matter for your password manager

Five of the six password managers in this comparison use AES-256 for vault encryption. NordPass uses XChaCha20-Poly1305. Both are described as 'military-grade encryption.' In most consumer discussions of this choice, either nothing further is said or XChaCha20 is briefly credited as 'more modern' without elaboration. The question worth actually answering is: does the cipher choice produce different real-world security outcomes for password manager users, and if so, under what conditions?

The honest answer is: for most users, under most realistic threat models, the cipher choice between AES-256 and XChaCha20 does not determine security outcomes. Both ciphers are considered cryptographically secure. The attack scenarios that would make the choice matter are highly specific. But 'does not determine security outcomes' is different from 'is irrelevant' — there are specific contexts where the differences are meaningful.

The useful lens for this question is not 'which cipher is stronger' in the abstract, but 'what are the implementation-specific risks of each cipher, and do those risks apply to my situation.'

The assumption 'AES-256 is industry standard, therefore it is the safe conservative choice' conflates standardisation with security under all conditions. AES is standardised and widely deployed. It is also designed as a block cipher and is typically deployed with a mode of operation (CBC, GCM). AES-CBC, the mode used by several password managers including Bitwarden and historically LastPass, is secure when implemented correctly but has known vulnerability to timing side-channel attacks in specific implementation contexts. AES-GCM provides authenticated encryption. XChaCha20-Poly1305 is a stream cipher with integrated MAC, designed to be resistant to timing attacks without requiring constant-time implementation discipline.

A second assumption is that the cipher is the primary security variable for vault encryption. It is not. The key derivation function — how the master password is processed to generate the encryption key — determines resistance to offline brute-force on stolen vault data. Cipher strength against cryptanalytic attack is essentially equal between AES-256 and XChaCha20 at current compute levels. The more practically relevant variable is whether the key protecting the cipher is derived by PBKDF2 at adequate iterations or Argon2, and at what parameter settings.

A third assumption is that hardware-accelerated AES makes it faster and therefore better on modern devices. This is true for hardware with AES-NI instructions — most modern x86 processors. On devices without AES hardware acceleration — many embedded devices, older mobile hardware, IoT devices — XChaCha20 is significantly faster while remaining equally secure. NordPass's choice of XChaCha20 reflects design consideration for performance across the full device spectrum, not only modern desktop hardware.

AES-256 and XChaCha20 are both considered secure against all known cryptanalytic attacks at current and projected compute capabilities. Neither is practically breakable through cipher analysis. The meaningful differences are in: (1) timing-attack resistance — XChaCha20 is designed for this from the ground up; AES requires careful constant-time implementation; (2) performance on hardware without AES acceleration — XChaCha20 wins significantly; (3) standardisation status — AES is NIST-standardised and FIPS 140 approved; XChaCha20 is not FIPS approved, which matters for specific regulatory contexts.

For most password manager users on modern devices, the cipher choice does not affect their practical security. The KDF and iteration count protecting the vault key is the dominant variable for offline brute-force resistance. The cipher protects encrypted data at rest; both AES-256 and XChaCha20 do this adequately for the forseeable future.

The context where XChaCha20 has a meaningful advantage: environments with diverse hardware (mobile-heavy usage where some devices lack AES-NI), or in implementations where constant-time AES is difficult to guarantee. The context where AES-256 has an advantage: regulatory environments requiring FIPS 140 certification, where XChaCha20's absence from FIPS is disqualifying.

This guide discusses cipher algorithm choice at the conceptual level. Real-world security outcomes depend on the full implementation: cipher mode, IV handling, KDF, key management, and implementation correctness. A theoretically sound cipher poorly implemented is less secure than a slightly less modern cipher implemented correctly with extensive review.