How to evaluate a password manager — the criteria that actually matter

Password manager reviews follow a predictable structure: feature comparison table with checkmarks, price comparison, a detection test score in an unrelated product category, and a 'Best Overall' recommendation. The criteria being applied — feature count, price, brand recognition — are not well-correlated with the properties that determine whether a specific product is right for a specific user's situation.

The criteria that actually differentiate password managers in ways that affect security and usability outcomes are less visible in most reviews: what metadata the provider retains in plaintext, how the key derivation function affects offline brute-force resistance, whether the codebase is independently verifiable, what the emergency access model looks like, and how the provider has responded to historical security incidents.

Evaluating a password manager well requires defining your threat model first, then mapping provider properties to that model. The same product may be the right answer for one situation and wrong for another.

The assumption 'best overall winner from a major review site is the right choice' applies the reviewer's implicit threat model to your situation. Reviews written for a general audience optimise for the median use case. If your use case is above-average in any dimension — privacy sensitivity, threat level, technical sophistication, compliance requirements — the general recommendation may not apply.

A second assumption is that encryption strength is the primary differentiator. All major password managers use encryption that cannot be practically broken by cryptanalytic attack. The meaningful differentiators are: metadata handling (what is stored in plaintext alongside encrypted credentials), KDF strength and parameterisation (how resistant offline brute-force is), breach history (what has actually happened), and trust model (open source vs. compliance certifications).

A third assumption is that price and features are the right primary criteria. Price and features are legitimate criteria; they are not the only ones. A lower-cost product with a significant breach history and a discontinued free tier may be a worse choice than a more expensive product with a clean record and better architecture for a specific use case.

A useful password manager evaluation framework covers five categories: security architecture (cipher, KDF, zero-knowledge implementation, metadata handling); trust and verification (open source vs. compliance-only, audit history, breach history); feature completeness (does it do what you need?); usability for your actual workflow (autofill reliability on the sites you use, mobile experience, cross-device coverage); and price and sustainability (is the business model coherent, is the free tier genuine or a conversion tool).

Threat model mapping: privacy-first users should weight metadata handling, jurisdiction, and open-source auditability. Enterprise/compliance users should weight FedRAMP, ISO 27001, and SSO depth. Budget-constrained users should distinguish genuine free tiers from conversion funnels. Family users should weight emergency access and non-technical UX. Each weight shift changes the ranked order of the products.

The breach history criterion deserves explicit attention. LastPass has two documented incidents affecting customer data. Every other provider in this comparison has a clean record as of 2024. This is a factual asymmetry that should be part of any honest evaluation — not a disqualification but a data point that requires explicit consideration relative to the features LastPass offers.

Evaluation criteria reflect a point in time. Providers update their architectures, change pricing, get acquired, or have security incidents. An evaluation done in 2022 before the LastPass breach would have produced a different ranking than one done afterward. Regular re-evaluation against the current state of each provider is more accurate than relying on evaluations more than 12-18 months old.