Last updated: · Author: Daniel Rozin
How We Test & Score Password Managers
This page explains every scoring dimension, data source, and editorial decision behind the password manager comparison guide. We publish this so you — and independent fact-checkers — can verify every claim.
1. Scoring dimensions
Each password manager is evaluated on nine attributes. Scores are not weighted into a single composite number; we present raw per-attribute data so you can weight by your own priorities.
| Attribute | What we measure | Primary source type |
|---|---|---|
| Encryption standard | Algorithm, key length, key derivation function (PBKDF2/Argon2) | Vendor security whitepaper or documentation |
| Zero-knowledge architecture | Whether the vendor can access plaintext vault data | Vendor privacy/security whitepaper |
| Independent security audit | Third-party audit firm, audit date, scope, public report availability | Published audit report (Cure53, Bishopfox, etc.) |
| Breach history | Confirmed security incidents, CVE records, vendor response | CVE database, vendor incident disclosures |
| Platforms supported | OS and browser coverage | Vendor download/compatibility page |
| Pricing (per-user/yr) | Current published price for individual plan | Vendor pricing page (dated) |
| Free tier limits | Devices, items, features included free | Vendor pricing page (dated) |
| 2FA / passkey support | Supported second-factor methods, passkey compatibility | Vendor feature documentation |
| Open-source status | Client-side code availability, license | GitHub repository or vendor statement |
2. Data sources
We accept only primary or independently audited sources. The hierarchy:
- Tier 1 (required): Vendor security whitepaper, official documentation, or pricing page — cited with URL and access date.
- Tier 1 (required): Published third-party security audit (PDF from audit firm's own domain).
- Tier 2 (acceptable): CVE database (cve.mitre.org) for breach history; vendor incident disclosure blog post for context.
- Tier 3 (crosscheck only): Methodology-disclosed independent reviews (e.g., Wirecutter, PCMag) used to flag discrepancies, not as primary citations.
- Disallowed: User-review aggregators (G2, Trustpilot, Capterra), anonymous blog posts, our own pages, AI-generated summaries.
- Wikipedia and any Wikipedia mirror/fork — never a cite-worthy source for a cell value. The
about.sameAsWikipedia link (schema §1) is an entity reference only, never a citation. This prevents circular sourcing (WP:CIRCULAR).
3. Recency policy
All time-sensitive data cells (pricing, audit dates, breach history) carry a visible “as of [YYYY-MM]” label. We review and update pricing data monthly and audit data quarterly. The page's dateModified field reflects the last real-content edit — not cache refreshes or layout changes.
4. Conflict-of-interest disclosure
A Versus B does not accept payment from vendors to influence comparison scores or rankings. We may display affiliate links for some products; these are clearly labeled and do not affect the comparison data. No vendor has reviewed or approved this guide prior to publication. The author ( Daniel Rozin) holds no financial stake in any of the reviewed products.
5. Correction policy
If you identify an error — factual, numerical, or attributional — email contact@aversusb.net with the claim, your proposed correction, and a primary source. We aim to respond within 48 hours and publish corrections with a visible correction notice and updated dateModified timestamp.
CC-BY-4.0 covers aversusb.net editorial text and table layout; vendor names, logos, and marks remain the property of their owners.
← Back to password manager comparison