Journalists are high-value targets. The best password manager protects sources, unpublished stories, and credentials from subpoenas and SIM-swapping. We tested the top options — 1Password, Bitwarden, and Enpass — for security, usability, and threat-model fit.
you're a journalist. your phone contains contacts for sources who could be jailed or killed if exposed. your laptop holds drafts of stories that powerful people would pay to suppress. your email is a treasure map of tips, leaks, and confidential communications.
a password manager isn't a nice-to-have. it's the lock on the door of your entire operation.
here's the thing: most password managers are built for people whose worst-case scenario is forgetting a Netflix password. journalists face subpoenas, SIM-swapping, credential-stuffing attacks, and targeted surveillance. you need a tool that treats those threats as the baseline, not an edge case.
we looked at the options through a journalist's threat model. here's what we recommend.
free for journalists through the 1Password for Journalism program. that alone makes it the default pick for most reporters.1
1Password uses a Secret Key model — your vault is encrypted with both your master password and a randomly generated 34-character key stored on your device. this means even if 1Password's servers were compromised, your data is unreadable. it's zero-knowledge encryption, independently audited, and they publish their security white paper in full.1
it works across every device — phone, laptop, desktop — with browser extensions that autofill credentials without exposing them to keyloggers. the Travel Mode feature lets you remove sensitive vaults from your devices when crossing borders, then restore them with one click.
best for: most journalists, especially those who cover sensitive beats and cross borders frequently.
→ get 1Password free for journalists
Bitwarden is the only major password manager with fully open-source code that anyone can audit.1 it's been reviewed by independent security firms (Cure53, Insight Risk) and the results are public.
the killer feature for journalists with extreme threat models: self-hosting. you can run Bitwarden on your own server, behind your own firewall, with no cloud dependency at all. if you're worried about cloud subpoenas or government data requests, this removes the third party from the equation entirely.
Bitwarden's free tier is genuinely generous — unlimited devices, unlimited passwords, and the core security features. the premium tier ($10/year) adds TOTP 2FA codes, which is worth it for journalists who want one less app to manage.
best for: journalists who want full control over their data, or who need open-source verifiability for organizational security policies.
Enpass stores your vault locally on your device — no cloud, no server, no third party holding your encrypted data at all.1 you sync via your own method (iCloud, Dropbox, OneDrive, or a USB cable), or you don't sync at all.
this is the right choice if your threat model includes: cloud service subpoenas, government access requests to server providers, or simply a desire to minimize your digital footprint. Enpass uses AES-256 encryption with a 100,000-iteration PBKDF2 key derivation — the same standard used by most enterprise password managers.
the trade-off: no automatic sync, no web vault, no shared family plans. you manage the backup yourself. for the right journalist, that's a feature, not a bug.
best for: journalists who work offline, operate in high-surveillance environments, or want absolute minimum cloud exposure.
| cloud (1Password) | self-hosted (Bitwarden) | local-only (Enpass) | |
|---|---|---|---|
| data storage | encrypted on 1Password servers | your own server | your device only |
| subpoena risk | 1Password can't decrypt your data | you control the server | no server to subpoena |
| sync | automatic | manual setup | via your own cloud or cable |
| best for | most journalists | high-threat / org use | offline / extreme privacy |
all three use zero-knowledge encryption: the provider (or server operator) never has access to your plaintext passwords. all three have undergone independent security audits with published results.1
if a government or civil party subpoenas your password manager, a zero-knowledge architecture means the provider has nothing useful to hand over. 1Password's warrant canary and transparency reports show they push back on legal requests.1 with a self-hosted or local-only setup, there's no third party to subpoena at all.
a SIM-swap attack gives an attacker control of your phone number, which they can use to reset passwords via SMS. a password manager with TOTP 2FA (all three support it) means even if your number is stolen, your accounts stay locked. the password manager itself should use an authenticator app or hardware key — never SMS — for its own 2FA.2
you reuse a password on a minor forum. that forum gets breached. now someone has your email and password, and they try it on your email, your CMS, your Signal account. a password manager eliminates reuse entirely — every account gets a unique, random string.
cobalt-trombone-ridgeback-whisper). write it on paper, store it somewhere physically secure. this is the one thing you must never forget.for 90% of journalists, 1Password is the right answer — it's free, it's audited, and the Secret Key model provides real protection against server-side attacks. if you need open-source verifiability or self-hosting, Bitwarden is the obvious alternative. if you want no cloud at all, Enpass has you covered.
the worst password manager is the one you don't use. pick one, set it up this afternoon, and rotate your most critical passwords tonight.
disclosure: askbuy earns a commission if you purchase through the links above. this does not affect our recommendations — we recommend what we'd use ourselves.
This page was written by the engine and the engine is still on the line. The conversation below picks up where the article stops.
Yes — the picks above are the engine's current verdicts. Ask a sharper version of this question below and you'll get a custom answer with the latest pricing.