I use KeePassXC on desktop and KeePassDX on Android. I have my own file server, and manually sync the database file through it when needed. No subscription fee, 100% open source and self-hosted.
1Password - the only real drawback is they use an electron app for desktop, and they don't really have a good story for legacy recovery.
Otherwise they have an incredibly strong security model (though it means its a bit complicated to the end user) and they support almost every form of credential TOTP, Passkey, passwords, etc.
They're also working on simplifying unlock methods such as being able to use a passkey to unlock (such as your iCloud passkey), or using your passcode/biometrics unlock double as the unlock for 1P.
It seems to have good integration into iOS as well for autofilling in apps and such.
Also, it supports custom fields where some forms on websites require some additional codes or secrets that normally don't autofill because they're not a password. 1P handles this pretty gracefully by just having a labelled text field stored as part of the login credential and it'll automatically fill that in.
They have a family pricing and it comes out cheaper once you have 2 members using it. Also sharing credentials, notes, etc. with other members is pretty straightforward.
If you just want something to start out with and you're in Apple ecosystem, consider the Apple Passwords app which is free. Having something is better than nothing.
Also timely is an IACR paper on the security of password managers [1].
1Password did really well, but doesn't get off scot-free as there's a vault substitution attack described in Appendix D where an attacker could substitute a vault and freshly created items in said vault by the user could be read by the attacker. I don't think in any stretch it would be easy to pull off, and I imagine to apply the fix despite simple would require a significant architecture overhaul across 1P applications, protocol, and architecture. But otherwise it does well against its rivals, and a lot of it is thanks to having a high entropy key masking the password used to unlock a vault, meaning dictionary attacks are not even possible.
For “family members who struggle with tech”, I’d optimize for:
- cross-device autofill that Just Works
- account recovery you can actually manage (but not so weak it defeats the point)
- sharing a small set of household logins cleanly
In practice that usually means either:
1) 1Password Families (best UX/recovery/sharing, paid), or
2) Bitwarden (good balance, cheaper, can self-host if you want, but UX is a bit more fiddly).
If everyone is already all-in on Apple (or Google), the built-in Passwords/Google Password Manager are honestly hard to beat for simplicity.
Regardless of manager: enable 2FA on the manager account itself, and start migrating important accounts to passkeys where possible.
According to the wiki, a one-click exfiltration vulnerability has existed for more than half a year and hasn't been fixed:
> In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click. LastPass version 4.146.8 (September 12, 2025), which was intended to address the issue, remains vulnerable
Update, with Apple's 'Passwords' app, it appears all someone needs to do to get access to every single stored password, is grab your iPhone while it's unlocked, or sneak it from you while sleeping and use face id to unlock it.
Or, they could shoulder surf to get a 6 digit pin to unlock the phone, then steal it, then they're in.
Seems way less secure than 'Correct Horse Battery Staple'.
It works on most browsers, both Android and iOS, and even has the option of family accounts, so everyone has their secret passwords and some shared passwords across accounts that everyone should have access to. It also comes with a free VPN for five devices with Hotspot Shield Pro.
I was in your position, realizing I had to do something about how my family manages passwords. I found the built in Passwords app in MacOS was actually sufficient for our needs.
Thanks for the rec. This is looking like the front-runner atm, for ease of adoption (nothing additional to download and setup) and cost-effectiveness (free for those who already on iOS/macOS).
EDIT: youtube reviews are really negative about Apple Passwords, but, those reviews all link to other (paid) password managers, so they cannot fully be trusted, since they're essentially in competition.
I use KeePassXC on desktop and KeePassDX on Android. I have my own file server, and manually sync the database file through it when needed. No subscription fee, 100% open source and self-hosted.
https://keepassxc.org/
https://www.keepassdx.com/
1Password - the only real drawback is they use an electron app for desktop, and they don't really have a good story for legacy recovery.
Otherwise they have an incredibly strong security model (though it means its a bit complicated to the end user) and they support almost every form of credential TOTP, Passkey, passwords, etc.
They're also working on simplifying unlock methods such as being able to use a passkey to unlock (such as your iCloud passkey), or using your passcode/biometrics unlock double as the unlock for 1P.
It seems to have good integration into iOS as well for autofilling in apps and such.
Also, it supports custom fields where some forms on websites require some additional codes or secrets that normally don't autofill because they're not a password. 1P handles this pretty gracefully by just having a labelled text field stored as part of the login credential and it'll automatically fill that in.
They have a family pricing and it comes out cheaper once you have 2 members using it. Also sharing credentials, notes, etc. with other members is pretty straightforward.
If you just want something to start out with and you're in Apple ecosystem, consider the Apple Passwords app which is free. Having something is better than nothing.
Also timely is an IACR paper on the security of password managers [1].
1Password did really well, but doesn't get off scot-free as there's a vault substitution attack described in Appendix D where an attacker could substitute a vault and freshly created items in said vault by the user could be read by the attacker. I don't think in any stretch it would be easy to pull off, and I imagine to apply the fix despite simple would require a significant architecture overhaul across 1P applications, protocol, and architecture. But otherwise it does well against its rivals, and a lot of it is thanks to having a high entropy key masking the password used to unlock a vault, meaning dictionary attacks are not even possible.
[1] https://eprint.iacr.org/2026/058
For “family members who struggle with tech”, I’d optimize for: - cross-device autofill that Just Works - account recovery you can actually manage (but not so weak it defeats the point) - sharing a small set of household logins cleanly
In practice that usually means either: 1) 1Password Families (best UX/recovery/sharing, paid), or 2) Bitwarden (good balance, cheaper, can self-host if you want, but UX is a bit more fiddly).
If everyone is already all-in on Apple (or Google), the built-in Passwords/Google Password Manager are honestly hard to beat for simplicity.
Regardless of manager: enable 2FA on the manager account itself, and start migrating important accounts to passkeys where possible.
Just an anti recommendation: Do not use Lastpass. Reading the security breach section of their Wikipedia article should be enough reason.
For anyone reading this who uses LastPass: Switch away!
According to the wiki, a one-click exfiltration vulnerability has existed for more than half a year and hasn't been fixed:
> In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click. LastPass version 4.146.8 (September 12, 2025), which was intended to address the issue, remains vulnerable
https://en.wikipedia.org/wiki/LastPass#Security_incidents
Update, with Apple's 'Passwords' app, it appears all someone needs to do to get access to every single stored password, is grab your iPhone while it's unlocked, or sneak it from you while sleeping and use face id to unlock it.
Or, they could shoulder surf to get a 6 digit pin to unlock the phone, then steal it, then they're in.
Seems way less secure than 'Correct Horse Battery Staple'.
Dashlane.
It works on most browsers, both Android and iOS, and even has the option of family accounts, so everyone has their secret passwords and some shared passwords across accounts that everyone should have access to. It also comes with a free VPN for five devices with Hotspot Shield Pro.
I was in your position, realizing I had to do something about how my family manages passwords. I found the built in Passwords app in MacOS was actually sufficient for our needs.
Thanks for the rec. This is looking like the front-runner atm, for ease of adoption (nothing additional to download and setup) and cost-effectiveness (free for those who already on iOS/macOS).
EDIT: youtube reviews are really negative about Apple Passwords, but, those reviews all link to other (paid) password managers, so they cannot fully be trusted, since they're essentially in competition.
I use Bitwarden
this may be controversial here, but what google + chrome + android does is pretty great imo
JSR_FDED has a parallel comment for the Apple ecosystem