All three are good. None is universally the right answer. I have deployed all three in different contexts and the decision is always about the team's constraints, not about which tool is "best."
1Password 8: Best UX
If your users are non-technical and your tolerance for support tickets is low, 1Password is the answer. The iOS and macOS apps are the cleanest in the category. Autofill is the most reliable. Watchtower's breach monitoring is the most actionable. Passkeys support has been shipping since 2023 and feels native.
The things 1Password does better than the others:
- Secret Key + Master Password. The two-factor protection of the vault itself, not just the login. A leaked master password alone cannot decrypt an offline dump. This is a meaningful architectural advantage.
- Developer tools.
opCLI,op runfor injecting secrets into shell commands, SSH agent integration, Shell Plugins. A real story for engineers. - Travel Mode. Unique and useful at borders.
Downsides: cloud-only (no self-host), $8/user/month business tier, and you are trusting 1Password the company forever. Their track record is good. "Forever" is still a long time.
KeePassXC: Best for Sovereignty
A local, open-source KeePass-format database. No cloud. No account. You own the file. You are responsible for its backup, its sync, and its access control.
When KeePassXC is the right tool:
- You are doing threat-model-intense work (journalism, activism, OSINT) and "no vendor in the loop" is a hard requirement.
- You are a single user or a tiny team that can coordinate a shared .kdbx via Syncthing or a self-hosted WebDAV.
- Your employer blocks cloud password managers and you need a personal-use option that complies.
What KeePassXC does not do: real team sharing, mobile-first UX, SSO, admin reporting. Do not try to scale it beyond about five people. Syncing conflict resolution on a shared .kdbx is a nightmare at that size.
On Android, use KeePassDX. On iOS, Strongbox (Pro unlock) is the best viewer. Autofill works but is more effort to configure than the commercial options.
Bitwarden: Best Value
Already covered in the enterprise review — here I will just place it in the comparison. Bitwarden splits the difference: cloud-hosted or self-hostable, open-source client and server, $6/user for Enterprise, real SSO and SCIM. Workable mobile UX that is improving. The right default for most companies that do not have strong reasons to choose one of the others.
For individuals, the free tier is genuinely usable (unlimited items, cross-device sync) and Premium at $10/year adds TOTP and emergency access.
Feature Comparison Table
| Feature | 1Password | KeePassXC | Bitwarden |
|---|---|---|---|
| Open source client | No | Yes | Yes |
| Self-host server | No | N/A | Yes |
| SSO / SCIM | Yes | No | Yes |
| Passkeys | Mature | Limited | Supported |
| CLI | Excellent | Decent | Good |
| Price (Business) | $8/user/mo | Free | $6/user/mo |
| Mobile UX | Best | Workable | Good |
The Decision Framework
Simple questions that pick for you:
- Do your users call the helpdesk when Chrome hiccups? 1Password.
- Are you a journalist, activist, or working in an adversarial region? KeePassXC with a manually synced file.
- Do you want open source, SSO, and the cheapest line item on the InfoSec budget? Bitwarden.
- Are you still on LastPass? Migrate this month to any of the three above.
One last thing. Do not let the comparison paralyze the rollout. The difference between having a real password manager and not having one is 10,000 times larger than the difference between any two of these. Pick one by Friday. Deploy it by end of quarter. Argue about the rest at renewal time.