NordPass Premium – Review 2020
Few people can remember strong and varied passwords for each of their online accounts. That’s fine, because password managers such as NordPass are readily available. This offering, from the team behind NordVPN, is a simple service for securely accessing your passwords via mobile apps, a web dashboard, or dedicated desktop apps. However, both the free and paid versions of NordPass lack many functions that more established password managers offer, including form-filling capabilities, password inheritance options, and robust auditing tools. NordPass might be fine for those who don’t want to be overwhelmed by options, but some of its missing features are important omissions. Our top-rated password managers are simply more capable.
Pricing and Platforms
NordPass’ free version does not allow you to access your passwords on multiple devices at the same time or share items from your vault. LastPass and Myki, our top two free password managers, include both these features.
NordPass Premium gets rid of the free version’s limitations, letting you access passwords on up to six devices and share items for $4.99 per month. This is pricey compared to other services’ effective monthly costs. One-year and two-year plans are more competitive, coming in at $35.88 and $59.76, respectively. Even though you may be tempted by the savings of the lengthier subscriptions, we recommend that you start with the monthly plan to make sure that NordPass works for you, or at least sign up for the free 7-day trial.
For comparison, LastPass Premium costs $36 per year and Keeper charges $29.99 per year. Dashlane is much pricier at $59.99 per year. Bitwarden Premium costs just $10 per year. You can, at the time of this update, get NordPass and NordVPN on a three-year deal for $125.64 (effectively $3.49 per month). ProtonVPN offers a bundle with its VPN and secure email services too, but that plan costs a whopping $288 per year.
You can get NordPass as a browser extension for Chrome, Firefox, and the new Chromium-based Edge. The service also offers mobile apps for Android and iOS. NordPass offers desktop clients for Windows, macOS, and Linux systems, too. A company representative previously noted that a Safari extension will arrive in 2020.
Getting Started and Security
To sign up for the free version of NordPass, you need to first provide an email, confirm that email via a six-digit code NordPass sends you, and then set a password. After that, you download the extension for the browser of your choice. I tested NordPass’ extension (version 2.1) on a Chrome browser, a Windows 10 laptop, and a Google Pixel 3 running Android 10.
To finish setting up NordPass, you need to sign in to the extension and create a master password for your account. The master password is different than your account password; the former functions as the decryption key for your password vault and the latter is used for account logins.
Make sure your master password is both unique and complex. If anyone gets ahold of your master password, all the account credentials stored in your vault will be compromised. At the same time, your master password should be memorable, as NordPass does not store it and cannot help you recover it specifically. NordPass does provide a single recovery code during the sign-up process that you can use to regain access to your account though, so make sure to copy that down too. If you forget your master password and lose your recovery code, your only option is to reset your NordPass account, a process that deletes everything from your password vault. This is standard handling of master passwords for any no-knowledge services. Keeper Password Manager & Digital Vault does allow you to reset your password in a secure way, which is helpful.
When you sign in for the first time, NordPass takes you to a screen for importing passwords from browsers such as Chrome, Opera, and Firefox, or from other password managers such as LastPass, 1Password, KeePass, RememBear, and RoboForm. Importing a CSV file is another option. You can also export your passwords to a CSV file at any point. I used NordPass’ sample CSV sheet to format my passwords, and the import worked fine.
Since you store passwords for sensitive accounts in a password manager, the security practices and privacy policies of the service you choose are paramount. With NordPass, your passwords are encrypted on your device locally using xChaCha20, before being sent to NordPass’ servers. A company representative noted that “we [NordPass] use Amazon Web Services as our cloud provider with our own Key Management Solution for Hardware Encryption.” When you need to access your passwords, the encrypted data syncs back to your device, at which point you need to decrypt it with your master password. As mentioned, NordPass says it employs a zero-knowledge infrastructure, which is to say the company never knows your master password and thus can never decrypt your data. Although this means you have few recovery options, it also means that even a data breach will not risk your information to exposure.
Note that NordPass recently underwent an audit by Cure53. You can read NordPass’s summary of the results on its blog, though note that the full publication is not yet on Cure53’s site. Remembear also committed to regular (and public) security audits from Cure53.
NordPass supports biometric authentication on Android and iOS devices in lieu of your master password, which is a convenience. It currently supports FaceID on iOS devices and on the Google Pixel 4, with support planned for other Android handhelds. Keep in mind that there are some real risks to facial recognition software, though. NordPass supports TOTP-based two-factor authentication methods (such as Google Authenticator and Authy). I appreciate that NordPass completely skipped over the less secure two-factor via SMS method, but I would like to see support for 2FA keys such as those from Yubikey. A representative from the company told me the feature is planned. 1Password, LastPass Premium, Bitwarden, and Keeper all support hardware-based authentication keys.
NordPass Web Vault and Desktop Apps
NordPass’ web extension is attractive, with a gray, white, and green color scheme and a simple navigation menu on the left side. I didn’t experience any performance issues with the interface in testing. Item categories for your vault include Logins, Secure Notes, Credit Cards, Shared Items, Trash, and Settings. There’s also a search bar in the upper left of the screen as well as a button for locking the app at the bottom left. Aside from the already mentioned import and 2FA options in the Settings section, you can view account information, upgrade your plan, change your master password, change the interface’s autolock settings, and reset your recovery code. That last feature could be vital if you lose your master password and are locked out of your account on every other platform.
The All Items section lists all your vault items in one place, but it doesn’t include descriptions of each item type. You can sort items by name or by last used. If you mouse over any item and click on the right-hand option menu, you can share it, copy its content, edit it, or move it to the trash. You can also launch the associated URL of login items to get directly to the site. This section is a bit basic and doesn’t offer any functionality that is not better served by one of the dedicated sections.
In the Logins section, you get the same sparse layout of login items as well an Add Login button in the upper left corner. One nice touch is that NordPass populates icons for all the services in your vault. However, there aren’t any options for organizing login items into folders or groups, which is problematic. A NordPass representative noted this feature is in progress. If the app had security auditing tools, this is where they should go. A representative said that a dedicated audit section would be available in 2020. Dashlane and 1Password are among the many password managers that offer an actionable password strength report. Some of these reports identify weak or reused passwords, while others securely check if your credentials have been exposed in any known breaches.
Adding a login is easy—just fill out a name for the item, email or username, password, and associated website URL. Unfortunately, you cannot create a login without a URL, nor can you add multiple URLs to one login item, which could be useful if the login URL for a service’s app and website are different. Notes are an optional field. When you enter your password, NordPass judges its strength on a scale of weak, moderate, and strong. NordPass rightfully rated egregious passwords such as “password,” “qwerty,” and “123456” as weak. It did list “Administrator” as moderate, as well as “Administrator1” and “Hello, World!” as strong. Oddly, you can’t access the random password generator feature here and need to click the extension icon in your browser’s toolbar to use it. Don’t expect to find any advanced features such as custom or time-based one-time password (TOTP) fields here either.
The Secure Notes section lets you create memos with titles and a text body, but there’s no support for attachments or links. Services such as Keeper Password Manager & Digital Vault include secure storage space for relevant files. The Credit Cards section is similar. You can add all the relevant payment details here, but, strangely, you can’t add a billing address. In fact, NordPass entirely lacks form-filling features for personal details, usually called identities. A company representative said this feature will be released soon. In practice, other password managers allow you to enter details like address, company, phone number, website, or social media handle. RoboForm and Sticky Password are among those that offer these options. Again, you don’t get any features in any of these sections for organizing items into folders. The Trash section is self-explanatory. Items you delete move here and then you can choose to get rid of things permanently.
I tested NordPass’ desktop app on a Windows 10 laptop. The interface is identical to the one you see on the web and offers all the same functionality. One option specific to the desktop app is the ability to start NordPass automatically with your computer, which is enabled by default. Note that you still need to sign in to NordPass with your master password when it starts. This is the preferable behavior, since otherwise, anyone who can get past your computer login could also access all of your passwords. Other password managers’ desktop apps offer additional features. For example, Keeper Password Manager’s desktop app lets you capture and replay logins for local desktop apps.
Using NordPass
When you encounter login fields on the web, NordPass populates both the username and password fields with an icon. If you visit a site for which you have credentials saved, a pop-up appears with an option to log in with the relevant account when you click into a field. Alternatively, you can click the NordPass extension in your browser’s toolbar to see and select credentials from a suggested items list. If you don’t have a saved login, simply enter your credentials as you normally would; once you submit them, NordPass shows a notification asking if you want to save those credentials. In my testing, NordPass filled and saved credentials without issue.
If you don’t want to keep NordPass’ full web version open, the extension’s toolbar menu offers much of the same functionality. Here, you can choose to filter your vault by all items, logins, secure notes, credit cards, and shared items. The import and add items buttons take you back to the full-screen view. From the gear icon, you can open the full-screen app version, launch the password generator tool, access your account settings, or lock down the application. The password generator tool is the only option that operates entirely within the minimized view.
The password generator tool works fine. You can set a password length up to 60 characters (the default is 12), choose whether to include uppercase and lowercase letters, digits, symbols, and to avoid ambiguous characters (i.e., 0 and O). As you won’t actually be typing any of these passwords out, I recommend keeping all of these options enabled. You can either choose to copy the password or generate a new one. Password Boss (20 characters) and Myki (32 characters) default to longer, and thus less easily cracked, passwords lengths.
Sharing and Inheritance
To share an item, mouse over it, click the vertical three-dot menu on the right-hand side, and select Share. Then enter a recipient’s email and hit Share Item. Anyone can sign up for an account to access items shared with them, but only premium users can share items. Notably, when you share an item, the recipient has full edit access to the item, but cannot delete it from the original person’s account. There is no option to give read- or view-only access to a recipient, but a NordPass representative said this was by design. Per the representative’s explanation, someone with even read-only access could theoretically overtake an account even without edit access to the item in NordPass itself. Other services, such as Sticky Password, let you restrict whether a recipient can only view, fully edit, or share items on their own.
NordPass recently added a new feature called Trusted Contacts for paid subscribers. Essentially, this feature helps you manually exchange and confirm an encrypted message with a contact. In theoy, this reduces the chance of a man-in-the-middle attack. You can set up trusted contacts under the advanced section of the settings tab on the web or desktop apps. While it might be useful for some, this process seems overly complex, and I don’t see it as a reason to upgrade from the free tier.
NordPass is missing password inheritance features, which allow a few trusted contacts to gain access to your logins in the event you no longer can, such as after your death. Delayed access is a common feature associated with password inheritance; if you don’t want someone to have immediate access to your accounts, you can make them wait a certain period of time before the credentials become available to them. LogMeOnce, Zoho Vault, and RoboForm are some competitors that offer digital legacy features.
NordPass on Mobile
I installed NordPass on a Google Pixel 3 running Android 10 and had no issues logging in to my account. Remember that free users cannot access their passwords on more than one device at the same time. So, for example, if you’re logged in to the web extension and then try to sign in on mobile, NordPass will log you out of your desktop browser session. This behavior may seem inconvenient, but is still better than other services that simply won’t sync your passwords to a second device at all.
NordPass’ Android app is basic but attractive. At the top, you get a search bar for finding items in your vault, with dedicated icons for logins, secure notes, credit cards, shared items, and the trash directly beneath. In the middle of the screen, NordPass lists recently used login items, followed by a list of all items. This screen looks a little crowded.
On the bottom of the page, there’s a persistent notification to encourage you to upgrade the Premium account, a plus button for adding new logins, notes, and credit cards, and a settings section with the same options as on the web. As mentioned, NordPass does support biometric logins and I was able to log in with my fingerprint without issue.
NordPass does not let you link specific apps to logins, nor does it include a persistent notification for auto-filling credentials. Instead, the launch option for logins can only take you to a service’s website. That said, when I tried to sign in to a service’s mobile app, NordPass filled those credentials without issue, despite the fact that I had only added the website URL for that item. As with the web, there are no folder options either. NordPass did add a password generator tool on the mobile app and an option to scan credit cards for imports.
A Good Start
NordPass is an easy-to-use password manager with attractive web, desktop, and mobile apps, but it offers very few advanced features such as form-filling, folders, security monitoring, or 2FA key support. Several other free password managers don’t restrict use to a single device at a time either and allow secure sharing. NordPass may be fine for tech-hesitant users, but everyone else will likely run up against limitations. If you plan to pay for your password manager, Editors’ Choice picks Dashlane and Keeper Password Manager & Digital Vault are your best options, thanks to their more advanced features. For those looking for a free password manager, we recommend Editors’ Choice winners LastPass and Myki, which have fewer limitations.
