AES-256 Encryption
The symmetric encryption cipher used by every credible password manager to protect vault data. AES-256 means 256-bit key length — computationally infeasible to brute-force with any foreseeable technology. Its presence is table stakes; its absence is a red flag.
What AES-256 is
AES stands for Advanced Encryption Standard — a symmetric block cipher standardised by NIST in 2001. The 256 refers to the key length in bits. AES-256 is the same cipher used to protect classified US government communications at the “Secret” and “Top Secret” levels.
Symmetric means the same key encrypts and decrypts the data. In a password manager, your vault is encrypted with a key derived from your master password, stored as ciphertext on the provider’s servers, and decrypted locally on your device when you unlock the vault.
Why 256-bit specifically
AES comes in three key lengths: 128-bit, 192-bit, and 256-bit. All three are considered secure for the foreseeable future — no practical attack against any of them is known. The 256-bit variant is used in contexts where extra security margin is desired (government, financial, healthcare), and has become the default in consumer security software because the performance cost of the larger key is negligible on modern hardware.
The brute-force impossibility: there are 2^256 possible AES-256 keys. If you could test one trillion keys per second — far beyond current computational capability — checking all possible keys would take approximately 3.31 Ã- 10^56 years. The universe is approximately 1.4 Ã- 10^10 years old. AES-256 is not the weak point in any realistic attack on a password manager.
AES-256 is not enough on its own
Every credible password manager uses AES-256 for vault encryption. Where managers differ is in how the encryption key is derived from your master password.
The encryption key is not your master password itself — it’s derived from it using a Key Derivation Function (KDF). The security of the system depends heavily on the KDF:
- LastPass (pre-breach): PBKDF2-SHA256, as few as 5,000 iterations on pre-2018 accounts. The 2022 breach demonstrated the vulnerability: attackers could systematically test common master passwords against the stolen ciphertext at scale.
- Bitwarden: Argon2id — a memory-hard KDF that is significantly more resistant to GPU-based brute force. Each iteration requires a fixed amount of RAM, making parallel GPU attacks expensive.
- 1Password: PBKDF2-SHA256 at 650,000 iterations, plus an additional 128-bit Secret Key. The iteration count is well above OWASP’s minimum of 600,000; the Secret Key adds a factor that cannot be derived from your master password alone.
AES-GCM vs AES-CBC
Some managers specify the mode of operation alongside the cipher:
- AES-256-GCM (Galois/Counter Mode): Used by 1Password and Dashlane. Provides both encryption and authentication (verifies data hasn’t been tampered with). Preferred for modern implementations.
- AES-256-CBC (Cipher Block Chaining): Used by Bitwarden. A widely-implemented, well-understood mode. Secure when implemented correctly.
For typical users: both modes are secure. GCM is more modern and provides authenticated encryption; CBC requires a separate authentication step (HMAC). Bitwarden implements the separate authentication correctly, as verified by Cure53’s audit reports.
The newer alternative: XChaCha20
NordPass uses XChaCha20 instead of AES-256. This is a deliberate choice:
- XChaCha20 is not dependent on hardware AES acceleration, meaning it’s not vulnerable to cache-timing side-channel attacks on processors without AES-NI instructions
- In environments where hardware AES acceleration is unavailable, XChaCha20 is significantly faster
- On modern hardware with AES-NI, AES-256-GCM is typically faster
For typical users, the practical security difference between AES-256 and XChaCha20 is zero. Both are mathematically secure for the foreseeable future.
What to look for in a manager
When evaluating a password manager’s encryption claims:
- AES-256 for vault encryption — present in every credible manager, absent in some marginal players
- KDF iteration count — look for PBKDF2 at 600,000+ iterations or Argon2id (inherently resistant to brute force)
- External audit confirming the implementation — claims are not verification; an audit report from Cure53, NCC Group, or equivalent is
- Authenticated encryption (GCM mode or HMAC) — ensures vault integrity, not just confidentiality
Go deeper
- Stage 1 — Learn What is a password manager? The foundational guide — start here if you're new to the space. Read →
- Stage 3 — Commercial The 8 Best Password Managers, 2026 From foundation to pick — which manager has this feature verified? Read →
- Stage 5 — Tool Decision Wizard 5 questions, 60 seconds, your top-3 recommendation. Read →