= NordPass =

Infobox
- Title: NordPass
- Logo: Nordpass.png
- Logo Alt: Nordpass.png
- Developer: NordVPN
- Type: Password management service
- Platform: Personal computer, Smartphone
- Operating System: Android, iOS, Linux, macOS, Microsoft Windows
- Status: Active

NordPass is a proprietary password manager launched in 2019. It allows its users to organize their passwords and secure notes by keeping them in a single encrypted vault. NordPass, which operates on a freemium business model, was developed by the VPN service NordVPN.

NordPass is available natively on Windows, macOS, Linux, Android, and iOS, as well as via browser extensions for web browsers.

== History ==
In 2022, NordPass introduced the data breach scanner, that allow users to check if their data had been compromised in a breach.

The same year, NordPass announced NordPass for Business, a solution with teams, business, and enterprise tiers designed to help businesses and organizations strengthen their password management and overall cybersecurity posture.

In 2023, NordPass introduced passkey support, enabling passwordless authentication.

In 2024, NordPass launched email masking, a feature that hides users’ real email addresses when signing up for online services to reduce spam and phishing.

==Security features==
NordPass utilizes the XChaCha variant of the ChaCha20 encryption algorithm, which is regarded as faster and more secure than the AES-256 algorithm.

The service operates on a zero-knowledge architecture, meaning that passwords are encrypted on the user's device before being stored in the cloud. As a result, NordPass cannot access, modify, or manage users' passwords.

Two-factor authentication is available through authentication apps such as Google Authenticator, Duo, and Authy. NordPass also supports FIDO U2F, which works with YubiKey and other third-party security keys. This protection is integrated into the service's login process rather than the app.
The Data Breach Scanner feature automatically scans compromised databases and compares them with items stored in the user's vault, such as passwords and credit card information, to identify any potential breaches. Additionally, NordPass offers a Secure Password Sharing feature that allows users to share passwords securely with other NordPass users.

The platform also scans for password leaks and identifies weak, reused, or outdated passwords, categorizing them into groups such as Weak, Reused, and Old.

NordPass enables users to create an unlimited number of email aliases to protect their real email addresses.

NordPass Business is ISO 27001 and SOC 2 Type 2 certified and complies with HIPAA standards. It also includes a built-in authenticator for generating time-based, one-time passwords for two-factor authentication.

The Email Masking feature allows users to conceal their real email address when signing up for online services.

Furthermore, NordPass provides an Activity Log, Password Policy, and company-wide security settings to help manage and monitor access to company resources.

Other features include Google Workspace SSO, Security Dashboard, MS ADFS, and support for Okta User and Group Provisioning.An independent cybersecurity firm, Cure53, in February 2020 conducted an audit and confirmed the security of NordPass password manager.

The service currently supports passkey storage, allowing users to authenticate without passwords. NordPass was one of the first password managers to implement passkey support.

NordPass also provides a tool called Authopia, a passwordless authentication solution for businesses that enables the integration of passkey login options into their web domains.

==Reception==
At launch in 2019, NordPass received mixed reviews with some tech review sites pointing out the absence of certain features. PCMag, for instance, noted that "it offers very few advanced features such as form-filling, folders, security monitoring, or 2FA key support".

As NordPass and its features evolved over time, it started to be regarded more positively by users and critics, including influential tech websites such as Wired, Forbes, Business Insider, and TechRadar, and was nominated for several awards.

NordPass has published a Top 200 Most Common Passwords report.

NordPass was recognized with PCMag’s Editors' Choice award for paid password managers and received a 4.5 out of 5 rating in their 2025 review, highlighting its strong security features and user-friendly experience.

== Security Criticism ==
=== 2024 Leakage via Injection Attacks ===
A 2024 study by Fábrega et al. demonstrated that many popular password managers are vulnerable to injection attacks. NordPass was affected due to its handling of application-wide security metrics, allowing an attacker to inject crafted shared entries and observe externally logged data (such as duplicate-password counts) to determine whether their injected values matched passwords stored in a victim’s vault.

=== 2025 DOM-based Extension Clickjacking ===
Security researcher Marek Tóth presented a vulnerability in browser extensions of several password managers (including NordPass) at DEF CON 33 on August 9, 2025. In their default configurations, these extensions were shown to be exposed to a DOM-based extension clickjacking technique, allowing attackers to exfiltrate user data with just a single click. The affected password manager vendors were notified in April 2025. According to Tóth, NordPass version 5.13.24 (February 15, 2025) addressed the issue.

== See also ==

- List of password managers
