NordPass Review

While many NordPass reviews claim this password manager offers the “best password protection in the market”, our NordPass review offers a different opinion. Not only is the NordPass password manager exceptionally overpriced, but it also comes with security and compliance issues that cannot be ignored if your organization is subject to the HIPAA Security Rule.

NordPass is a relative newcomer to the password manager market, having been launched in 2019 by Panama-based Tefincom SA – the company behind NordVPN. Despite being a new player in an already crowded market, the release of NordPass received a lot of attention and, in 2021, it was ranked as the tenth most popular password manager in a survey conducted by security.org.

Realistically, NordPass´ rise to widespread adoption should never have happened. In the same year as NordPass was released, the news broke of a major security breach at one of NordVPN´s servers; and, in a separate incident, the usernames and passwords of more than 2,000 NordVPN customers were exposed in another security breach. In both cases, experts were critical of the company´s security shortcomings, which should have raised concerns about the security of NordPass.

Nonetheless, the widespread adoption continued – mostly attributable to an aggressive affiliate program offering up to 75% commission which allows affiliates to offer NordPass subscriptions at a lower cost than going directly to NordPass. But do discounted subscriptions represent the value they look like they do, what happens when a subscription is due for renewal, and – more importantly for organizations subject to HIPAA – is NordPass secure and HIPAA-compliant?

How Does the NordPass Password Manager Work?

NordPass is a vault-based password manager which – other than under the free plan – users can save an unlimited number of passwords, payment details, addresses, and other data across an unlimited number of devices. Saved data synchronizes automatically, so whenever a NordPass customer visits a website or opens an app that requires login credentials, the password manager can autofill the username and password regardless of which device is being used.

For individual users and businesses, vault-based password managers facilitate the use of unique, complex passwords for each online account and mitigate the threat of data breaches attributable to weak and reused passwords that can be cracked by brute force attacks. They can also mitigate the risk from phishing because if a user is directed to a fake site by a phishing email, the password manager will not have login credentials saved – which should alert the user to the risk.

NordPass claims to operate a zero-knowledge model. This means that the data stored in each vault is encrypted with the only decryption key being the user-defined master password (used to access the vault at the start of each session). However, as mentioned previously in our NordPass review, Tefincom does not have a good record for security and – because the software is built on proprietary software, rather than open source software – nobody can see what is going on “under the hood”.

NordPass Business Plans: Features and Prices

NordPass offers two business plans – one for small and medium sized organizations with up to 250 users, and a second plan (called “Enterprise” to distinguish it from the first plan) for any number of users. Both plans include an admin panel, security dashboard, and access to activity logs – essential features for HIPAA compliance – while the Enterprise plan includes more Single Sign On (SSO) and provisioning options. Enterprise customers also get help with onboarding users and better support.

NordPass business plans also include a policy engine. When enabled, system administrators can stipulate passwords (both imported passwords and new passwords) are of a certain length and contain special characters. However, if a user fails to comply with a password policy, the policy engine flags the password as weak. It does not prevent the user from using the password – increasing the risk of a data breach if the weak password is not noticed by an administrator.

Additionally, only the business plan for small organizations is priced. The prices vary according to the payment cycle (monthly, annually, bi-annually) and whether you are able to get a better deal from an affiliate but expect to pay around $48 per user for the first year and more when you renew your subscription. By comparison, Bitwarden´s Teams Plan (for an unlimited number of users) costs $36 per user per year. Enterprise plan prices are only “on request”, so you could be charged anything.

Is NordPass Secure and HIPAA-Compliant?

Although its parent company has had its share of problems in the past, there are no recorded security incidents directly related to the NordPass password manager. However, users often report software bugs on Reddit forums, and when apps load slowly, fail to autofill login details, or log out unexpectedly, users are inclined to take shortcuts with password best practices to “get the job done”. This can lead to failures in security and non-compliance with HIPAA´s Technical Safeguards.

With regards to HIPAA compliance, NordPass doesn´t claim to be a HIPAA-compliant solution but states (in the “NordPass Business Whitepaper”), “If you process sensitive health information, NordPass can help you to get one step closer to being HIPAA-compliant.” NordPass´ online HIPAA compliance guide provides a little more advice about security best practices, but doesn´t indicate whether NordPass would be willing to sign a Business Associate Agreement if asked to.

Another question that Covered Entities and Business Associates may wish to ask NordPass is where their data will be stored. Although any ePHI stored, shared, or transmitted via the NordPass password manager should be protected under a Business Associate Agreement, NordPass´ servers are mostly located in Panama – where laxer data protection rules apply. This means your employees´ usernames might be easier to access and used to launch a brute force attack.

NordPass Review Conclusion

Although the concept of zero-knowledge, vault-based password managers is sound, our NordPass review raises multiple questions about using this password manager to apply password best practices. From paying affiliates huge commissions (which increases the price to customers), to a lack of pricing transparency, to buggy proprietary software, NordPass raises so many red flags that it cannot be recommended as a suitable password manager for organizations subject to HIPAA.