Open Source Password Manager
A password manager is the one app you have to trust completely - it holds every credential you own. The open source options below earn that trust differently than closed-source vaults: the encryption code is public, independent audits actually happen, and most of them can run on your own server, so a vendor breach or a sudden pricing change never locks you out of your own secrets.

Vaultwarden
Self-hosted Bitwarden-compatible server in Rust, light enough to run where the official service is too heavy

KeePassXC
Offline, encrypted password manager that stores your vault in a local KDBX file you control

Bitwarden
Open-source password manager for passwords and passkeys, with clients for web, browser, desktop, and CLI

KeeWeb
Browser and desktop password manager that opens and creates KeePass kdbx vaults

gopass
GPG-encrypted, git-versioned password manager for teams - a drop-in replacement for the standard UNIX pass

KeePassDX
Lightweight, ad-free Android password manager for KeePass databases with biometric unlock and autofill

LessPass
Stateless password manager that recomputes your passwords from a master password, so there is no vault to sync

Passbolt
Security-first, open source password manager for teams with user-owned keys and end-to-end encryption

Padloc
Modern, end-to-end encrypted open source password manager for individuals and teams
How to choose an open source password manager
Start with the encryption model, because that is the part you are really trusting. A serious manager encrypts and decrypts everything on your device, so the server (yours or a vendor's) only ever stores ciphertext it cannot read. That "zero-knowledge" design is the difference between a breach that leaks scrambled data and one that leaks your logins. Because the code is open, the claim is checkable rather than a marketing line, and the well-regarded projects have paid for outside security audits whose reports you can read.
Then decide how your vault should sync. The choices fall into three camps: a single encrypted file you move yourself, sync through a commodity cloud drive you already use, or a server you run that handles sync and sharing for a household or team. Self-hosting gives you the most control and the most responsibility - you own the backups and the uptime. File-based and bring-your-own-cloud options ask less of you but make team sharing clumsier.
Finally, weigh the everyday surface area: browser extensions for autofill, mobile apps with biometric unlock, and support for passkeys and time-based one-time codes if you want them in one place. Just as important is the exit: confirm the manager exports a standard format so your data is never hostage to the app. The strongest options here cover every major platform and import directly from the proprietary vaults people are leaving.
Related categories
Frequently asked questions
Are open source password managers safe?+
Yes - and often more verifiably so than closed alternatives. The encryption happens on your device before anything is stored, and because the source is public, security researchers can inspect exactly how keys are derived and data is sealed. Several of the projects listed here have commissioned independent third-party audits and published the results. Open code does not make an app magically secure, but it makes its security claims something you can confirm instead of take on faith.
Can I self-host a password manager?+
Most of the server-based options here are designed to be self-hosted, usually as a container you run on a home server or a small cloud instance. Self-hosting means your encrypted vault never touches a third party, and sharing within a family or team runs entirely on infrastructure you control. The trade-off is that backups, updates, and availability become your job, so plan for an automated backup of the data directory before you commit.
How do I move my passwords from a proprietary manager?+
Export your existing vault to a CSV or JSON file, then use the importer in your new manager - the mature open source options ship importers tuned for the most common proprietary formats. Because the export file is plaintext, delete it securely once the import is verified. After migrating, rotate your most important passwords so any credential that briefly lived in an unencrypted export is replaced.
What happens to my logins if the project shuts down?+
This is exactly where open source helps. Your vault is stored in an open or documented format and can be exported at any time, so you are never locked in. If a hosted service closes, you keep a local copy; if a project stops being maintained, the code remains available for someone to fork. With a self-hosted server you are not dependent on any company staying in business at all.