NordPass Password Manager — Nord Security

The bottom line

After you lock your vault, your credit card numbers stay in memory. Any malware running on your machine can read them — even though the UI tells you the vault is locked and your data is safe. NordVPN has been caught making exaggerated security claims in marketing. When the same company runs your password manager, every security claim deserves extra scrutiny.

Legal jurisdiction

🇵🇦 Panama (headquarters)

●Law 81 (2019)

Basic data protection. Enforcement weak — Panama's appeal is corporate secrecy, not privacy protection

Spying

1/4 LOW

Is someone spying on me?

Data Sharing

0/4 N/A

Who gets my data?

Security

3/4 HIGH

Is it actually secure?

Honesty

2/4 MODERATE

Can I trust what they say?

5Contradictions

0Critical

1High

4Medium

2Sources

Findings by concern

Spying 1/4 LOW 1 finding

⚫ mediumfirmware analysis vs app permissions

An attacker could bypass Windows Hello to unlock your vault without your fingerprint or face. The biometric login gave a false sense of security while the actual protection was broken.

What they claim: NordPass uses Windows Hello biometric integration for convenient unlock

What we found: A bypass vulnerability was discovered in the Windows Hello integration, allowing authentication to be circumvented. Biometric unlock is a convenience feature that, when flawed, provides a false sense of security.

Security 3/4 HIGH 3 findings

⚡ highfirmware analysis vs app permissions

After you lock your vault, your credit card numbers stay in memory. Any malware running on your machine can read them — even though the UI tells you the vault is locked and your data is safe.

What they claim: NordPass stores sensitive credentials with 'military-grade encryption'

What we found: In January 2025, a vulnerability was discovered where credit card details remained in application memory after the user locked the vault. The vault UI showed locked state but sensitive data persisted in process memory — accessible to any malware with memory-read capability.

⚫ mediumpolicy claims vs firmware analysis

NordVPN has been caught making exaggerated security claims in marketing. When the same company runs your password manager, every security claim deserves extra scrutiny.

What they claim: NordPass claims zero-knowledge encryption with xChaCha20-Poly1305

What we found: NordPass is owned by Nord Security, which also operates NordVPN — a company with a history of aggressive affiliate marketing and occasionally misleading security claims. While the crypto is strong and Panama jurisdiction is favorable, the parent company's marketing-driven culture raises trust questions for a security product.

⚫ mediumfirmware analysis vs regulatory findings

Professional auditors keep finding new vulnerabilities every time they look. At DEF CON 33, a researcher demonstrated clickjacking that could trick users into performing actions they didn't intend.

What they claim: NordPass achieved SOC 2 Type 2 certification and ISO 27001:2022

What we found: Cure53 audits (2020, 2021) found a total of 24 vulnerabilities including 1 high-severity issue. At DEF CON 33 (August 2025), a clickjacking vulnerability was demonstrated. While all reported issues were fixed, the volume of findings across multiple audits suggests ongoing security maturity challenges.

Honesty 2/4 MODERATE 1 finding

⚫ mediumpolicy claims vs regulatory findings

Nord Security has staff in Lithuania (EU). Lithuanian authorities can compel employees to provide access or information, regardless of Panama incorporation.

What they claim: NordPass operates from Panama — outside Five Eyes intelligence alliance jurisdiction

What we found: While Panama jurisdiction is genuinely favorable for privacy, NordPass/Nord Security has offices and employees in multiple jurisdictions including Lithuania (EU). The company's operational footprint extends beyond Panama, potentially creating additional legal exposure points.

Sources

Exodus Privacy: NordPass (2024-01-01)
NordVPN server breach context(link unavailable) (2019-10-21)