NordPass Review

Password manager from the NordVPN team using XChaCha20 encryption, with breach scanning, email masking, and passkey support.

NordPass is the password-manager arm of Nord Security, and it makes a few unusual technical choices. The vault is built on XChaCha20 rather than the more common AES-256 — a cipher that runs faster on devices without AES hardware acceleration, and which is more forgiving of nonce-reuse implementation mistakes.

Independent auditor Cure53 has reviewed NordPass twice, in 2020 and again in 2024, covering the cryptographic foundation, source code, desktop apps, browser extensions and mobile apps. All flagged issues were patched and re-verified. The Business edition holds both SOC 2 Type 2 attestation and ISO/IEC 27001:2022 certification, which is a compliance combination rivals like Dashlane have not published.

Pricing is aggressive. The Family plan covers six separate vaults with full Premium features, and at the two-year promotional price of $2.79 a month total, the per-person cost works out to around $0.47 a month — the lowest-priced household tier in the category. Reviewers consistently single out the Data Breach Scanner for automatic continuous monitoring of leaked credentials, real-time passkey support, and Email Masking, which lets you hide your primary inbox at signup.

Capterra's 39 verified business reviewers rate NordPass Business 4.5 out of 5, praising the clean interface, multi-factor authentication and cross-device sync. The rough edges are concentrated on the free tier and the user experience. The free plan is locked to a single active session, so switching between phone and laptop logs the other device out — friction that turns up in nearly every independent review.

Autofill misfires are the most-cited everyday complaint on G2 and Capterra: the icon obscures input fields, sometimes fails to save credentials, and mobile-app autofill is weaker than browser autofill. The Data Breach Scanner identifies leaked credentials but rarely surfaces the breach origin when data appears in dark-web collections, which limits follow-up action.

Emergency Access is mobile-only — desktop and web users cannot delegate access to a trusted contact, an awkward gap for desktop-first households. A couple of organisational notes for completeness. Refunds are not automatic on cancellation; users must contact support within 30 days (14 days for Business), and Trustpilot logs cases of refund refusals minutes after purchase.

Parent Nord Security also disclosed a 2018 NordVPN datacenter intrusion (revealed in 2019), which did not affect password vaults but sits on the corporate group's record and is fair to weigh. For households that want strong cryptography at a low price, NordPass is the leading value option.