Nordpass® Password Manage

Name: Security Analysis: Nordpass® Password Manage
Item: Nordpass® Password Manage
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 6M+ users

📦 v7.3.14

💾 11.03MiB

📅 2026-02-09

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

Designed by the security experts behind NordVPN, the NordPass password manager offers a refined yet user-friendly approach to password management. Effortlessly generate strong passwords, identify weak passwords, discover whether your data has appeared in a data breach, and benefit from the convenience of our autosave and autofill features. But there’s more to NordPass than meets the eye. Beyond passwords, trust NordPass to store your passkeys, credit cards, personal notes, and even files with 3GB of storage reserved just for that.

Never compromise on security. Keep your passwords safe with NordPass.

Here’s more of what you get when you choose NordPass:

➡️ Autofill and Autosave
Log into your favorite website without manually typing your password every time, and autosave new passwords with a click.

➡️ Documents
Securely store and organize PDFs and scans of passports, IDs, and any important paperwork. Add expiry dates and get automatic reminders before anything runs out.

➡️ Password Generator
Generate strong passwords for your online accounts with a single click.

➡️ Passkey storage
Step beyond passwords. Store passkeys next to passwords in NordPass, access them anytime, anywhere.

➡️ Password Health
Identify weak, old, and reused passwords with the dedicated Password Health tool.

➡️ Data Breach Scanner
Check if any of your sensitive data has been compromised and take immediate action.

➡️ Breach Monitoring
Receive real-time alerts about your breached data and stay ahead of potential threats.

➡️ Emergency access and password sharing
Share passwords securely with trusted individuals and provide emergency access to close contacts.

➡️ Credit card and personal info storage
Have direct, instant access to payment details when online shopping or personal details when booking trips without the need to remember or manually type them out.

➡️ Device sync
Save a password on your laptop and access it on your mobile while on the go.

➡️ Unlimited storage and devices
Store countless passwords and access them on all of your devices, even when you’re offline.

➡️ MFA and biometrics
Enhance security with Multi-Factor Authentication, OTP generators, and biometric access.

➡️ File Attachments
Securely attach, store, and retrieve files with 3GB of storage.

➡️ Password Import and Export
Switch from another password manager to NordPass without losing any data.

➡️ XChaCha20 encryption
All your data in NordPass is encrypted with the cutting-edge XChaCha20 encryption algorithm, ensuring unparalleled password security.

➡️ Zero-Knowledge architecture
With NordPass's zero-knowledge architecture, only you have access to your data.

Download NordPass and forget your password stress. Forever.
ℹ️ For more information, visit: https://nordpass.com/
🔒 For Privacy Policy, visit: https://nordpass.com/privacy-policy
✉️ Feel free to contact our Customer Support team with any questions you may have: support@nordpass.com

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

✅ Version v7.4.9 was recently scanned.

v7.4.9 Info Scanned Mar 4, 2026

Security Analysis — Nordpass® Password Manage

Analyzed v7.4.9 · Mar 4, 2026 · 39 JS files · 17100 KB scanned

Permissions

Code Patterns Detected

External Connections

www.w3.org support.nordpass.com nordpass.com formatjs.github.io my.nordaccount.com business.nordsec.com github.com api.nordpass.com json-schema.org addons.mozilla.org nordcheckout.com bit.ly +8 more

Package Contents 138 files · 28.3MB

▾📁FieldClassifier386KB

{}change_email.json33KB

{}change_password.json33KB

{}credit_card.json52KB

{}forgot_password.json33KB

{}identity.json47KB

{}login.json40KB

{}login_register.json30KB

{}register.json46KB

{}subscribe.json38KB

{}time_based_one_time_password.json33KB

▾📁FormClassifier186KB

{}model.json186KB

▾📁SubmitClassifier103KB

{}model.json103KB

▾📁_locales2KB

▾📁da

{}messages.json263B

▾📁de

{}messages.json278B

▾📁en

{}messages.json258B

▾📁es

{}messages.json289B

▾📁fr

{}messages.json343B

▾📁it

{}messages.json290B

▾📁lt

{}messages.json332B

▾📁nl

{}messages.json281B

▾📁_metadata19KB

{}verified_contents.json19KB

▾📁assets5.5MB

▾📁lang1.3MB

{}da.json66KB

{}de.json187KB

{}en.json156KB

{}es.json181KB

{}fr.json192KB

{}it.json178KB

{}lt.json182KB

{}nl.json172KB

▾📁manifestIcons7KB

🖼icon.svg406B

🖼standalone-extension-128.png2KB

🖼standalone-extension-16.png434B

🖼standalone-extension-32.png749B

🖼standalone-extension-48.png1KB

🖼standalone-extension-96.png2KB

🔤Inter-Bold-DzTqCIlM.ttf309KB

🔤Inter-Medium-BvRl13LW.ttf307KB

🔤Inter-Regular-B3vv58xm.ttf303KB

🔤Inter-SemiBold-G8w9vdgA.ttf308KB

🖼PIN-E3Pm-Ddy.svg11KB

🖼PIN-dark-i0yFOaGC.svg12KB

🔤RobotoMono-Bold-gL1XQ8pZ.ttf85KB

🔤RobotoMono-Medium-IwbejJhe.ttf85KB

🖼add-two-factor-code-OEYhkv6R.svg9KB

🖼android-devices-Czdp82uF.png6KB

🖼android-devices@2x-msY49nPg.png16KB

🖼android-devices@3x-BkwSWDJo.png30KB

🖼authenticator-dark-CQL5abOF.png96KB

🖼authenticator-light-Cf5R_3TF.png95KB

🖼authenticatorMultiDevice-1G009iMj.png94KB

🖼autofill-autosave-preview-5GI3xSqC.svg154KB

🖼backup-CEQPx0-p.svg6KB

🖼badge-Dm42hNd-.svg10KB

🖼badge-dark-DVPbIP__.svg9KB

🖼biometrics-BxlHv9rJ.svg5KB

🖼devices-DUFaGNWJ.png17KB

🖼devices-dark-DcpFL1uO.png17KB

🖼devices-dark@2x-BzyUFbJy.png45KB

🖼devices@2x-BSeJUKH3.png44KB

🖼edge-i51Rxzq5.png4KB

🖼email-masking-BVU7ZCQx.png925KB

🖼favicon-DdtOqB_v.png651B

🖼file-attachments-preview-DTGteXhW.svg88KB

🖼firefox-Ca77yLmI.png5KB

🖼ios-devices-D2pPVXiD.png7KB

🖼ios-devices@2x-Ccm1Fk0G.png17KB

🖼ios-devices@3x-BrfCOto8.png31KB

🖼keepassxc-WLY-5Fau.png5KB

🖼laptop-C4SGb8Ec.png53KB

🖼laptop-dark-BNsdZmjM.png55KB

🖼laptop-dark@2x-CyY9rGEv.png157KB

🖼laptop@2x-CaTmTkO6.png146KB

🖼passkeys-preview-BsRC78F9.svg79KB

🖼password-health-TP9ZOlqL.svg6KB

🖼platforms-DKCPyG4K.png11KB

🖼platforms-dark-BUqxpR8a.png11KB

🖼platforms-dark@2x-jcx6gTHv.png30KB

🖼platforms@2x--8WH8_3r.png30KB

🖼protonpass-Du_wbQY5.png4KB

🖼request-email-code-dark-DSkJOZMk.png59KB

🖼request-email-code-light-CKfHFX7U.png66KB

🖼safari-BIl1Ug5g.png6KB

🖼update-C8MCbz0o.svg5KB

🖼update-dark-B38u8Vo9.svg5KB

🖼vault-CpW85_yr.svg10KB

🖼vault-dark-T-ZoWldI.svg8KB

🖼web-vault-BfEDDY_B.svg220KB

🖼web-vault-dark-CQAriX_O.svg220KB

▾📁css4MB

🎨autofill.css239B

🎨content.css3.7MB

🎨index.css323KB

🎨popup.css138B

▾📁js16.7MB

📜DataBreachScanner.chunk.js38KB

📜DownloadLogsButton.chunk.js545B

📜DownloadLogsSection.chunk.js566B

📜EmailMaskDetailsView.chunk.js7KB

📜EmailMasking.chunk.js15KB

📜EmergencyAccess.chunk.js8KB

📜FileSaver.min.chunk.js3KB

📜ItemDetailsView.chunk.js11KB

📜LinkedAccountSetup.chunk.js14KB

📜OnboardingAndPrivacyPolicyTemplate.chunk.js2KB

📜PasswordHealth.chunk.js26KB

📜PromoPage.chunk.js13KB

📜TotpModalsHandler.chunk.js1.2MBlarge

📜app.js1.9MBlarge

📜background.js3.9MBlarge

📜biometrics.chunk.js401KBlarge

📜biometrics.js723B

📜browser.chunk.js3KB

📜classifier.js3.2MBlarge

📜content.js2.3MBlarge

📜de.chunk.js255KBlarge

📜ecp-extension-detection.js311B

📜es.chunk.js252KBlarge

📜fr.chunk.js272KBlarge

📜frequencyList.chunk.js185B

📜index.chunk.js1.8MBlarge

📜index.chunk2.js229B

📜initExtensionSentry.chunk.js61KBlarge

📜it.chunk.js241KBlarge

📜lt.chunk.js269KBlarge

📜nl.chunk.js233KBlarge

📜nordpass-script.js492B

📜offscreen.js1KB

📜passkeys.js12KB

📜popup.js209KBlarge

📜redirectContent.js64KBlarge

📜translationsService.chunk.js1KB

📜updateFAQVisibility.chunk.js1KB

📜useMonitoringAssetActions.chunk.js4KB

🌐app.html4KB

🌐biometrics.html4KB

{}englishWords.json1.3MB

{}frequencyList.json94KB

🌐index.html4KB

{}manifest.json13KB

🌐offscreen.html3KB

What This Extension Does

NordPass Password Manager is a browser extension that securely stores and autofills passwords, credit cards, personal notes, and files. It offers features like password generation, data breach scanning, and emergency access sharing. This extension is suitable for individuals seeking to manage their online identities and sensitive information.

Permissions Explained

idleexpected: This permission allows the extension to run in the background even when the browser is idle.
Technical: The 'idle' permission grants access to Chrome's idle API, which can be used to monitor and control the browser's activity. This could potentially allow the extension to inject malicious code or track user behavior without their knowledge.
alarmsexpected: This permission enables the extension to schedule notifications and reminders.
Technical: The 'alarms' permission grants access to Chrome's alarms API, which can be used to create and manage scheduled events. This could potentially allow the extension to send unsolicited notifications or track user behavior without their knowledge.
storageexpected: This permission allows the extension to store data locally on your device.
Technical: The 'storage' permission grants access to Chrome's storage API, which can be used to read and write data to local storage. This could potentially allow the extension to steal sensitive information or inject malicious code without user consent. ⚠ 1
tabsexpected: This permission enables the extension to access and manipulate browser tabs.
Technical: The 'tabs' permission grants access to Chrome's tabs API, which can be used to read and write tab data. This could potentially allow the extension to inject malicious code or track user behavior without their knowledge.
privacycheck this: This permission allows the extension to access sensitive information about your browsing activity.
Technical: The 'privacy' permission grants access to Chrome's privacy API, which can be used to read and write private data. This could potentially allow the extension to steal sensitive information or inject malicious code without user consent. ⚠ 1
contextMenusexpected: This permission enables the extension to create custom context menus in the browser.
Technical: The 'contextMenus' permission grants access to Chrome's context menu API, which can be used to inject malicious code or track user behavior without their knowledge.
offscreenexpected: This permission allows the extension to create off-screen windows and tabs.
Technical: The 'offscreen' permission grants access to Chrome's off-screen API, which can be used to inject malicious code or track user behavior without their knowledge.
clipboardReadcheck this: This permission enables the extension to read data from your clipboard.
Technical: The 'clipboardRead' permission grants access to Chrome's clipboard API, which can be used to steal sensitive information or inject malicious code without user consent. ⚠ 1
https://api-toggle.nordpass.com/*expected: This permission allows the extension to make requests to NordPass's API.
Technical: The 'https://api-toggle.nordpass.com/*' permission grants access to NordPass's API, which can be used to read and write sensitive information. This could potentially allow the extension to steal user data or inject malicious code without their knowledge.
https://api-toggle.stag.us.nordpass.com/*expected: This permission enables the extension to make requests to NordPass's staging API.
Technical: The 'https://api-toggle.stag.us.nordpass.com/*' permission grants access to NordPass's staging API, which can be used to read and write sensitive information. This could potentially allow the extension to steal user data or inject malicious code without their knowledge.
https://lastpass.com/*expected: This permission allows the extension to make requests to LastPass's API.
Technical: The 'https://lastpass.com/*' permission grants access to LastPass's API, which can be used to read and write sensitive information. This could potentially allow the extension to steal user data or inject malicious code without their knowledge.

Your Data

NordPass Password Manager accesses sensitive information such as passwords, credit cards, personal notes, and files. It sends this data to NordPass's API (https://api-toggle.nordpass.com/*) and LastPass's API (https://lastpass.com/*).

Technical Details

domains_contacted

www.w3.org
support.nordpass.com
nordpass.com
formatjs.github.io
my.nordaccount.com
business.nordsec.com
github.com
api.nordpass.com
json-schema.org
addons.mozilla.org
nordcheckout.com
bit.ly

protocols_used

https
wss

encryption_status

XChaCha20 encryption is used to protect user data.

data_types_accessed

cookies
tokens
keystrokes
page content

Code Findings

Dynamic JS importMedium

The extension uses dynamic JavaScript imports, which can make it harder to analyze and debug.

Technical: The extension uses the import() function to dynamically load JavaScript modules. This can be used to inject malicious code or evade security measures.

💡 Dynamic imports are commonly used in legitimate extensions to improve performance and flexibility.

String.fromCharCode (obfuscation)Medium

The extension uses string obfuscation techniques, which can make it harder to analyze and debug.

Technical: The extension uses the String.fromCharCode() function to obfuscate strings. This can be used to hide malicious code or evade security measures.

💡 String obfuscation is commonly used in legitimate extensions to protect sensitive information.

Captures keystrokesCritical

The extension captures keystrokes, which can be used to steal sensitive information.

Technical: The extension uses the document.addEventListener('keydown', ...) function to capture keystrokes. This can be used to inject malicious code or steal user data without their knowledge.

💡 Keystroke capturing is commonly used in legitimate extensions for password management and autofill purposes.

Potential hardcoded secretMedium

The extension may contain hardcoded secrets, which can be used to inject malicious code or steal user data.

Technical: The extension contains a potential hardcoded secret in the background.js file. This can be used to inject malicious code or steal user data without their knowledge.

💡 Hardcoded secrets are commonly used in legitimate extensions for authentication and authorization purposes.

Bottom Line

NordPass Password Manager is a feature-rich extension that offers robust password management and security features. However, it captures keystrokes, which raises concerns about user data protection. Users should exercise caution when using this extension and ensure they understand the risks involved.