# Competitive landscape — password managers > **last-reviewed: 2026-06-20.** This file is the only static, rot-prone asset in > the skill (the four lenses otherwise read living docs at runtime). The market > moves: competitors ship features, get breached, change pricing, appear, and > die. Treat every claim below as "true as of last-reviewed, verify if it > matters." **Freshness protocol:** - If `last-reviewed` is **more than ~6 months** before today, treat this file as suspect: prefer running the market lens in **deep** mode (live web research) over trusting the snapshot, and at the end of the run *offer to refresh this file* (re-research the competitors, rewrite the entries, bump `last-reviewed`). - Any time a **deep**-mode run surfaces something this file gets wrong or misses (a new competitor, a shipped feature, a breach), offer to fold it back in and bump the date. The cheat-sheet should improve every time it's proven stale. A grounding cheat-sheet for the market lens in **fast** mode so it reasons from a real map, not vibes. The goal isn't to rank these for everyone — it's to locate Relicario's wedge honestly: where the two-factor / self-host / git-backed / server-sees-ciphertext thesis genuinely wins for the target user, and where Relicario is simply behind on table stakes. --- ## The field ### Bitwarden - Open-source, freemium, cloud-hosted by default; self-host possible (official server is heavy; **vaultwarden** is the popular lightweight Rust reimpl). - Single-factor KDF: master password (optionally with 2FA gating *login*, not the KDF). Server breach entropy rests on the master password alone. - Strong on: ubiquity, mature mobile + browser autofill, painless import/export, organizations & sharing, low/zero price. - The default thing a privacy-conscious technical user reaches for. **This is Relicario's primary reference competitor** — most "why not just use X" pressure comes from here (specifically self-hosted vaultwarden). ### vaultwarden - Community Rust server compatible with Bitwarden clients; trivial to self-host (single container). Inherits Bitwarden's polished clients for free. - This is the sharpest comparison for Relicario's self-host story: a user who wants self-hosted secrets already has a turnkey, full-featured option with mobile apps and autofill. Relicario must justify what it adds *over* this. ### KeePassXC (+ KeePass ecosystem) - Local-first, file-based (`.kdbx`), no server at all; sync is BYO (Dropbox, Syncthing, git, etc.). Open-source, free. - Single-factor by default but supports key files / hardware keys as a second factor — conceptually the closest mainstream analog to Relicario's "something you have" image secret (a key file is the unglamorous version of the stego image). - Strong on: zero-trust-server (there is no server), longevity, plugin ecosystem. - Weak on: clunky cross-device sync, dated UX, mobile is third-party. - The other user Relicario competes for: the "I don't trust any cloud" crowd. ### 1Password - Commercial, polished, cloud-only (no self-host). **Two-factor KDF**: master password + a 128-bit Secret Key — the mainstream product whose security model is closest in spirit to Relicario's (two factors into the key derivation). - Strong on: best-in-class UX, mobile, autofill, family/team sharing, support. - Relevant because it proves the two-factor-KDF idea is marketable — but it does it with a boring random Secret Key, not steganography, and gives up self-host. ### Proton Pass - Newer, from Proton (Mail/VPN); privacy-positioned, cloud, freemium, open-source clients. Single-factor KDF; leans on brand trust and the Proton bundle. - Relevant as the "privacy brand" competitor — it wins on trust + ecosystem, not on a novel crypto model. ### LastPass (cautionary tale, not a competitor to chase) - Repeated breaches (notably 2022) where exfiltrated vaults were only as strong as users' master passwords — the canonical argument *for* a second KDF factor. - Useful in positioning: Relicario's README already uses LastPass as the "~40–60 bits, single factor" baseline. The market lesson is real and on Relicario's side, but invoking it is marketing, not differentiation. --- ## Where Relicario can win (the honest version) - **Server-sees-only-ciphertext + no metadata** against a self-host backend that still stores structured data. This is a genuine, explainable edge over vaultwarden for the threat-model-literate user. - **Two factors into the KDF** (not just 2FA on login) — only 1Password really matches this, and it isn't self-hostable. That intersection (two-factor KDF + self-host) is close to empty. That's the wedge. - **Git as audit log** — "when was this rotated?" answered by `git log` and field history. Niche, but unique and real for the audit-conscious user. ## Where Relicario is behind (table stakes to be honest about) - **Mobile.** Bitwarden/1Password/Proton all have first-class mobile apps with autofill. Relicario is CLI + browser extension; the Rust core compiles to ARM but there's no shipped mobile client. For most users this alone is disqualifying — weigh it heavily. - **Autofill quality & breadth.** Browser-extension autofill maturity is a moat the incumbents have spent years on. - **Frictionless import** from the incumbents (Bitwarden, 1Password) — LastPass CSV exists; the others are on the roadmap. Import friction is a real adoption tax. - **Sharing / multi-user polish.** The org-vault track is new; incumbents have mature org/family sharing. ## The uncomfortable question to keep asking For a user who wants self-hosted secrets, **vaultwarden already exists and is turnkey with great clients.** Every Relicario feature should be weighed against: "does this widen the gap on the thesis (two-factor KDF, no-metadata, git audit), or is it just trying to catch up to vaultwarden on table stakes I'll never win?" The strategy lens should treat *catching up to vaultwarden's client polish* and *deepening the unique thesis* as different bets with very different ROI.