Password Manager Security Checklist
Purpose
This checklist helps security‑aware users evaluate the safety of their chosen password manager and ensure best practices are followed.
Checklist
- Use a strong, unique master password (≥12 characters, mix of types)
- Enable two‑factor authentication (2FA) for the vault
- Confirm the service follows a zero‑knowledge model
- All data is encrypted locally before upload
- Auto‑lock after inactivity (≤5 min)
- Built‑in password generator with high entropy
- Audit log or security events viewable by the user
- Open‑source code or third‑party security audit available
- Secure end‑to‑end encrypted sync across devices
- Secure, limited recovery options (e.g., emergency contacts)
Next Steps
- Review each item and check the box if it applies to your password manager.
- Uncheck any item that fails to meet the criteria and consider switching or hardening the configuration.
- Revisit this checklist after any major update to the password manager.