Open Source Password Protection
These are defensive tools, not vaults - they exist to tell you which credentials are already exposed, weak, or banned, and that only works if you can run them against your own users and password data without shipping any of it out. The open source tools here do the breach checking, directory password filtering, and exposure auditing entirely inside your environment, so finding leaked credentials never means handing them to a third party.

SuperTokens
Open-core user authentication with login, session management, and on-premises control of user data
pwnedOrNot
OSINT tool for checking breached email accounts and searching public dumps for passwords
xkcdpass
Flexible, scriptable passphrase generator inspired by XKCD 936

haveibeenpwned-downloader
CLI tool that downloads all Pwned Passwords hash ranges for offline checks without the k-anonymity API

Lithnet Password Protection
Active Directory password filter for breached password checks and custom complexity rules

XposedOrNot
Open-source API for real-time data breach monitoring and email exposure alerts
How to choose open source password protection
Start with the vault and encryption model, because this decides what a breach exposes. Look for client-side encryption where the server cannot read vault contents, a slow password-based key derivation function, and clear handling for attachments, secure notes, TOTP seeds, and passkeys. Check whether metadata is encrypted too - item names, URLs, folder names, and sharing relationships can reveal more than teams expect. Also decide whether storing TOTP codes in the same vault as passwords fits your risk model or whether you want a separate second-factor workflow.
The sync and recovery model is the next hard choice. A local-only vault reduces server exposure but makes multi-device use, backups, and emergency access your problem. A hosted or self-hosted sync server adds convenience, but you need to understand account recovery, admin powers, rate limiting, and what happens when the server is offline. For teams, pay close attention to whether admins can reset access without decrypting user vaults, how offboarding works, and whether SSO or directory sync changes the encryption boundary.
Daily login behavior matters as much as cryptography. Browser extensions need strict URL matching, predictable autofill rules, and a way to avoid filling credentials into lookalike domains or embedded frames. Mobile apps should support platform autofill without forcing users to copy secrets through the clipboard. For organizations, inspect sharing granularity, audit events, password generator policy, import quality, and export formats before committing. A password protection system that is technically sound but awkward during real sign-in flows will be bypassed.
Related categories
Frequently asked questions
What does open source password protection usually include?+
In this category, password protection usually means a vault for credentials, secure notes, and sometimes TOTP seeds, passkeys, identities, and payment details. The important parts are encryption before sync, password generation, autofill, sharing controls, and export. Some options are personal vaults with light sync, while others are built for teams with permissions, audit logs, and centralized policy.
Is open source password protection safe enough for work accounts?+
It can be, but only if the design matches your threat model. Look for client-side encryption, a documented key derivation approach, secure sharing, and a clear history of security review. For work use, also evaluate admin recovery, offboarding, device loss, and auditability. The weakest point is often not the cipher - it is recovery design, browser autofill behavior, or poor rollout discipline.
When should I self-host password protection instead of using a hosted service?+
Self-host when you have a real operational reason, such as strict data residency, internal network constraints, or a requirement to manage your own sync service. Do not self-host just because the code is open. You become responsible for TLS, backups, updates, monitoring, mail delivery, availability, and incident response. If the server goes down during a credential emergency, the theoretical control may not feel useful.
What happens if someone forgets the master password?+
In a well-designed vault, the master password is not recoverable by reading a server database. That is good for security and painful for recovery. Some systems offer emergency access, organization recovery, recovery keys, or admin-assisted account reset. Read the details carefully. A reset may restore access only to shared organization items, not a user's private vault, attachments, or locally encrypted data.
How cleanly can existing passwords be imported?+
Imports usually start from a browser, CSV file, or another password manager export. Basic fields such as title, username, password, URL, and notes often survive. Folders, custom fields, file attachments, TOTP seeds, shared collections, and password history are less reliable. Plan time for cleanup, especially duplicate URLs, weakly matched domains, malformed notes, and items that were previously shared through a different permission model.
Which export options matter for avoiding lock-in?+
You want an export that preserves enough structure to rebuild the vault elsewhere: item type, login URL, username, password, notes, custom fields, folder or collection, and TOTP seed where appropriate. CSV is widely portable but loses structure and is dangerous if mishandled. Encrypted native exports are safer for backup but may be useful only inside the same ecosystem. Test export before rollout, not during an emergency.
Are browser extensions a security risk?+
Browser extensions are both useful and sensitive because they sit directly in the login flow. Evaluate URL matching, phishing warnings, frame handling, clipboard behavior, and whether the extension can be locked independently. Avoid workflows that train users to autofill anywhere. A good extension should make the correct login easy while making suspicious pages obvious, especially for internal admin panels and high-value accounts.
Does password protection work well on phones?+
Mobile support depends on integration with the operating system autofill service, biometric unlock, offline vault access, and how reliably the app handles app-specific login screens. Copying passwords through the clipboard is a fallback, not a good daily workflow. Test common business apps, mobile browsers, VPN prompts, and password change pages. Mobile friction is one of the fastest ways to push users back to reused passwords.
Can teams share credentials without exposing everything to everyone?+
Yes, if the tool has real collection or folder permissions rather than one shared vault for the whole organization. Check whether permissions apply to viewing, editing, sharing onward, exporting, and managing membership. Also inspect audit logs for access and change events. For high-risk shared accounts, combine narrow groups with rotation procedures, because once a password is visible to a person, technical controls cannot make it unseen.
How should TOTP codes and passkeys fit into password protection?+
Storing TOTP seeds beside passwords is convenient, but it weakens separation between first and second factors if the vault is compromised. Some teams accept that tradeoff for better adoption; others keep TOTP in a separate authenticator or hardware-backed workflow. Passkeys add another layer: confirm whether they can be synced, exported, shared, and used on managed devices before assuming they replace passwords cleanly.
What backup strategy is needed for a password vault?+
Back up both the server data and a tested vault export path. Server snapshots help after infrastructure failure, but they may not help if a user deletes items and sync propagates the deletion. Keep encrypted backups, protect export files tightly, and document restore steps. For self-hosted deployments, practice restoring to a separate environment so you know whether users, sharing relationships, attachments, and audit data return correctly.
How important are independent security audits?+
Independent review is useful, but read what was audited. A narrow audit of cryptographic code does not prove the browser extension, mobile app, server deployment, recovery flow, or build pipeline is safe. Check whether findings were fixed and whether the design is documented well enough for review. Audits should increase confidence, not replace your own evaluation of configuration, permissions, backups, and user behavior.
Will a password vault still work offline?+
Many vaults can unlock a cached copy offline after a successful sync, but behavior varies. Test offline access on desktop and mobile before relying on it. Pay attention to new item creation, conflict handling, attachments, and shared vault updates. Offline access is valuable for travel and outages, but it also means lost devices may contain encrypted vault data, so device encryption and strong unlock settings matter.
What if the password protection project loses momentum?+
Your exit plan matters more than the project's promises. Keep periodic encrypted exports, document the import process into an alternative, and avoid features that cannot be moved if portability is critical. For self-hosted systems, also keep deployment notes and dependency versions. If development slows, a strong export path and a simple vault structure can turn a risky platform change into a planned migration.