Password Vault
The encrypted database that holds your saved logins, secure notes, credit cards, identities, and file attachments inside a password manager. Understanding how the vault is structured, shared, and synced is the foundation for choosing the right manager.
What a password vault is
A vault is the core data structure of a password manager — the encrypted container that holds everything you entrust to it. At its simplest, a vault is a database of entries. Each entry contains a URL, username, and password at minimum. Most managers support richer entry types:
- Login: URL, username, password, TOTP seed, custom fields
- Secure note: free-form encrypted text (for social security numbers, recovery codes, etc.)
- Credit card: card number, expiry, CVV (encrypted at rest)
- Identity: name, address, phone — pre-fills forms automatically
- File attachment: encrypted file storage (documents, IDs, recovery codes) — typically limited by tier
The vault is stored as encrypted ciphertext. The encryption key is derived from your master password on your device — the vault’s provider never has access to the key or the plaintext.
Types of vaults
Personal vault: owned and controlled by you alone. Default for individual accounts. 1Password, Bitwarden, Dashlane, NordPass, and LastPass all start with a single personal vault.
Shared vault / Organisation vault: a vault shared between multiple users with granular permissions. 1Password calls these “vaults” (you can have multiple per account), Bitwarden calls them “collections.” Shared vaults allow:
- Household members to access shared streaming accounts
- Teams to share service credentials without exposing individual vaults
- Granular access control: view-only vs edit vs manage
Travel vault (1Password only): a special designation that marks a vault as removable during travel. 1Password’s Travel Mode temporarily removes vaults not marked as “safe for travel” from the app — the vault is still in your account but invisible on the device until you re-enable Travel Mode. Useful for border crossings where device search is a concern.
Vault structure across managers
| Manager | Vault name | Folder/collection support | Sharing |
|---|---|---|---|
| 1Password | Vaults | Nested categories within vaults | Multiple vaults with per-person permissions |
| Bitwarden | Collections (Org) / Folders (personal) | Yes (nested on Premium+) | Collections shared across org members |
| Dashlane | Single vault | Categories (flat) | Sharing via secure link or group |
| NordPass | Single vault | Folders | Folder-level sharing |
| LastPass | Vault | Folders (nested) | Shared folders |
Why vault structure matters for migration
When you switch password managers, the vault structure (folders, categories, tags) may or may not transfer — this is one of the most frequently underestimated migration costs.
1Password → Bitwarden: Folder hierarchy transfers as collections. TOTP seeds do not transfer automatically.
LastPass → Bitwarden: Folders flatten to a single level. TOTP seeds are lost. Attachments are lost.
LastPass → 1Password: Full folder hierarchy preserved. TOTP seeds preserved. Attachments preserved. The 5/5 migration score reflects the completeness of this transfer.
See the migration fidelity matrix for a complete breakdown of what survives each migration path.
Vault sync: cloud vs local
Cloud-synced vaults (1Password, Bitwarden cloud, Dashlane, NordPass, LastPass): your vault is stored encrypted on the provider’s servers and synced across all your devices automatically. You access it anywhere; the provider holds ciphertext only.
Local vaults (KeePassXC, local Bitwarden backup): your vault is stored as an encrypted file on your device. Sync across devices requires manual configuration (Dropbox, Syncthing, iCloud Drive). Zero cloud dependency; you’re responsible for backups.
Self-hosted vaults (Vaultwarden, self-hosted Bitwarden): you run the server yourself. Cloud convenience without relying on a third-party provider. Meaningful setup and maintenance overhead — see the self-hosting glossary entry for the honest tax.
What to store (and what not to store)
Store in your vault:
- All login credentials (including TOTP seeds in the built-in authenticator if your manager supports it)
- Secure notes with sensitive data (SSN, passport number, insurance details, recovery codes)
- Credit cards and identities for autofill
- Encrypted copies of key documents (passport scan, tax documents) if your tier supports attachments
Consider carefully:
- Your backup codes for other services (2FA recovery codes) — yes, store them, but have a paper copy too
- Cryptocurrency wallet seed phrases — a password manager is a valid storage location, but not the only one; multi-location backup is essential
Do not rely solely on your vault for:
- The 2FA seed for your password manager account itself — this creates a circular dependency. Keep the password manager’s own 2FA seed in a separate authenticator app or on a YubiKey.
- Your only copy of critical recovery codes — print them and store offline as well.
Go deeper
- Stage 1 — Learn What is a password manager? The foundational guide — start here if you're new to the space. Read →
- Stage 3 — Commercial The 8 Best Password Managers, 2026 From foundation to pick — which manager has this feature verified? Read →
- Stage 5 — Tool Decision Wizard 5 questions, 60 seconds, your top-3 recommendation. Read →