Do you struggle to handle passwords for email, client databases, online services, purchasing portals, and secure apps? Or do you work in a company which needs to share passwords across the workforce, without compromising security?

If so, Passbolt could be a game-changer. This free, open-source password manager enables safe password sharing and storage, with the ability to access passwords remotely and securely wherever you happen to be. So it has huge potential for all sorts of situations.

But is it the right solution for you? This Passbolt password manager review will assess its features and merits, allowing you to make an informed decision about how to store your authentication details.

Passbolt: Pros and cons

Not all password managers are equal. Some are overly complex, with poor user interfaces and cumbersome authentication processes. Others are slow and hard to roll out across large communities of users, while some simply fall flat when it comes to encryption and security. How does Passbolt compare? To get this Passbolt review started, here’s a quick rundown of the tool’s major pros and cons.

Pros

  • Completely free to download and use
  • Runs locally, and doesn’t rely on Cloud storage (unless you want to)
  • Uses secure OpenPGP encryption
  • Easy to use browser extensions to save passwords
  • Easily create teams for specific projects
  • Generally very well suited to entry-level users

Cons

  • No Multi-Factor Authentication
  • Encryption is only browser based
  • Based in Luxembourg, which may raise some privacy concerns

Company background: Getting to know Passbolt SA

Passbolt SA is based on the tiny Duchy of Luxembourg, which is part of the European Union. Luxembourg isn’t technically part of the 5 or 14-eyes surveillance alliance but has strong ties to NATO and the USA, and its own intelligence agencies have been implicated in spying scandals in the not-too-distant past. That’s something users will want to bear in mind, although it’s not necessarily fatal to the Passbolt package.

The company has released Passbolt as a fully open-source product, under the Free Software Foundation’s GNU AGPL, and all of the source files can be downloaded from Github – a sign of how transparent the developers are about how the password manager works.

The basic Passbolt manager (dubbed the “Community” version) is available free of charge, but Passbolt SA is a commercial company and offers a range of paid packages alongside the free version. So we aren’t dealing with a group of idealistic privacy fans. Aside from those basic details, there’s not much to report about Passbolt SA. As far as we can tell, the company has a clean bill of health and hasn’t been embroiled in any major scandals.

Features

Before we move onto how to set up and use Passbolt, here’s a very quick rundown of the application’s core features. This applies to the Community version, not paid editions, which have a few extra add-ons:

  • Secure password storage and sharing. All passwords are stored on user-specific servers, which are protected via OpenPGP encryption at all times.
  • Passwords can be shared across all team members instantly, providing secure access to corporate assets.
  • No limit to the number of users you can add, and no limit to the number of stored passwords.
  • Passbolt can be added as an extension to Chrome and Firefox, letting users add log-ins from specific web pages with a single click.
  • Additional user features include email notifications when passwords are added or changed, group management to divide teams effectively, tags and comments to annotate passwords, and the ability to export passwords in .kdbx and .csv formats.

Security issues: Is the Passbolt password manager safe?

Security is always our number one concern when assessing password managers, and with good reason: the whole point of these tools is to provide a safe space to store and share passwords, instead of using emails, text files, or hard copies. In a world where passwords are much easier to crack than many users think, it pays to take a second look at security.

Fortunately, Passbolt has a lot to offer when it comes to security. For starters, it uses a browser-based OpenPGP cipher to encrypt passwords. This encrypts data using SSL/TLS, which is the gold standard for browser-based encryption. So on this level, the app performs as well as we could expect.

When passwords are received by the Passbolt servers, the system uses a public key setup based around GnuPG and OpenPGP-PHP to authenticate and decode them. Only authorized users have access to public keys, which are generated afresh when they log in.

Those mechanisms are relatively secure, and as far as browser-based password managers go, it’s hard to beat them. However, Passbolt does suffer from some potential vulnerabilities. Accounts have master passwords which need to be guarded, and lists of users or comments aren’t encrypted.

How to use the Passbolt password manager

Now that we’ve taken a quick look at Passbolt’s security features and found that they measure up pretty well, let’s investigate more down to earth issues. How does Passbolt compare with the best password managers in the field of usability?

For starters, Passbolt can be used on any platform that supports Google Chrome or Firefox. As long as you can log onto the Passbolt servers, you can create an account and start sharing passwords. That’s good news for Mac, Linux, Windows, Android, and iOS users.

The system is based around browser extensions for Chrome and Firefox, as this allows Passbolt to auto-fill website passwords securely while assigning random numbers for user keys. The two extensions are relatively easy to install and work in a similar way, but there are a few subtle differences:

Passbolt for Google Chrome

If you setup a Passbolt account using Chrome, you’ll be prompted to install the extension via a Github link. Installation is simple and non-intrusive. When it’s done, you’ll see a small Passbolt logo in the top right-hand corner of the screen.

If you click that logo, you’ll call up a small Passbolt menu, which lets you browse groups and titles. More importantly, if you click on it while using a page with a password field, you can automatically create an entry for that site. Just type in your user password, and Passbolt will store the password, encrypt it, and send it to the password storage vault.

Now, whenever you return to that site, you’ll be able to securely log in. And when you change the password (as you should, on a regular basis), this will be updated in the Passbolt database.

Passbolt for Mozilla Firefox

The same process applies to installing the Firefox extension. However, a word of caution for Firefox users:

When we first tried to install the extension, the process failed to complete, and the icon wouldn’t show on the toolbar. Apparently, this happens regularly with Passbolt. We followed the suggested workaround successfully. Even so, it’s an annoying bug that shouldn’t be present.

Run Passbolt on a private server

Passbolt can also be installed as a private server, which allows users to control their own hardware, instead of trusting Passbolt’s own servers (or storage in the Cloud, which is the third option). We didn’t have the capacity to create a dedicated server, but full documentation for doing so on major Linux builds is available from the Passbolt website, and feedback from users suggests that it’s not overly complex.

Is Passbolt as user-friendly as it claims?

Yes, Passbolt is very user-friendly. As part of this Passbolt review, we put the tool through its paces as much as we could. The results were quite impressive, especially when you bear in mind that Passbolt is free to use.

It’s easy to add extra users via smartphones, and building a master list of important passwords is just as simple. We created a couple of groups with overlapping members and assigned passwords without any problems. We also removed a couple of users from password groups, and they immediately lost access to authentications – just what we hoped to see.

The GUI will be instantly familiar for anyone who has used password managers, WordPress APIs, or Gmail.

There are some extras to mention as well. For instance, applying two-factor authentication via Duo or Yubikey can be achieved with one click. That’s an excellent way to add another layer of security for accessing the master list of passwords. And if you don’t want to use 2FA, there’s a “Time-based one-time password” system, which is almost as secure.

Overall, we’d have to agree with Passbolt on the ease of use front, at least in its most simple version (the free to use Community edition).

Passbolt pricing options

The Community version of Passbolt is perfectly functional, but may not meet the requirements of high-level users. In that case, the company offers a selection of paid packages, with varying price points:

  • Startup – $19/month. Next-day email support, Virtual Machine installations, Multi-Factor Authentication, an admin panel, tag management tools, and a special app for mobile users. Limited to 10 users – so it’s only really for smaller organizations.
  • Business – $99/month. Up to 50 users, includes all of the features that come with the Startup edition. Suitable for small and medium-sized enterprises.
  • Enterprise – A bespoke package, which can be tailored to the needs of specific organizations, Enterprise can go way beyond the security and support available with Business. Includes certified key signatures, on-site management, instant email responses, phone support (if required). If you’re thinking about using Passbolt for any workforce with over 50 members, this is the best option.

Payments can be made via all major credit cards, and transactions are shielded by the Stripe payment processing system, which is good to see. However, users do need to provide quite a bit of personal information when signing up, including their address, name, and email address. That might alarm some users who are keen to keep their identity personal.

Everything works fairly smoothly, and the various options are well explained. As a bonus, customers have 15 days to try any paid packages. If they aren’t satisfied, they can claim a  refund after this point. That’s separate from the 1-month free trial, which covers the Community version, and is an excellent starting point.

Passbolt customer support

Customer support is somewhere that free password managers often fail, and it isn’t Passbolt’s strongest area. As a free user, we had access to the Passbolt forums, where users can submit their questions and hope for a response from support staff. Scrolling through a few submissions, it was clear that some queries receive in-depth responses, while others are much less comprehensive.

However, on the plus side, the company maintains a well-written and informative Knowledge Base, with tutorials on most common problems.

If you choose to pay for Passbolt, support becomes much better. Startup users can submit email requests, and expect replies within 24 hours. Business users are promised instant replies, and can also phone Passbolt if they wish. And Enterprise customers often receive in-person support to create and maintain their Passbolt servers.

Overall, you’ll find better support from competitors like LastPass (check out this LastPass review for more on that popular password manager). But for a free password manager, the support available for Passbolt Community edition isn’t a huge problem. If the system was complex and hard to use, this would be an issue. But, as it’s well-designed and intuitive, we’ll let it pass.

Passbolt vs LastPass

In fact, before we conclude this Passbolt review, it’s worth setting Passbolt alongside LastPass, as it represents an excellent yardstick in the password management world.

FeaturesPassboltLastPass
Two-factor authenticationYesYes
Automatic fill of web formsYesYes
Password strength reportYesYes
Secure sharingYesYes
SynchronizationWindows, macOS, Android, iOS, Linux (with paid versions)Windows, macOS, Android, iOS, Linux
Import fromYes, from .csv and .kdbx filesA LOT of apps
Minimal priceFree$3.00/month

As you can see, LastPass isn’t as far ahead of Passbolt as you might think. While LastPass is rightly seen as a leader thanks to its seamless importing, security levels, and general ease of use, Passbolt scores well for privacy and competes well pretty much everywhere else.

Should you use Passbolt password manager?

Passbolt is a very capable free password manager, and its paid versions add extra features which make it a viable LastPass alternative for businesses. It’s one of the best open-source password managers available, and performs well on the security side. Managing individual log-ins and groups is intuitive and simple enough for entry-level users, while you can use Passbolt on Linux, Windows, macOS, and smartphones.

However, what you might find is a better all-around password manager for larger organizations. So shop around, consult our list of the best password managers, and give Passbolt a try. If you aren’t too demanding and are excited by open-source solutions, it should be the ideal fit.