How to Use a Password Manager Safely
Quick Answer
Most people reuse passwords because memorising dozens of unique ones is impractical. Password managers solve this problem by doing the memorisation for you. They are one of the most effective security improvements available, and free options exist.
Why Password Reuse Is Dangerous
When a company suffers a data breach, stolen usernames and passwords are tested against other services automatically, a technique called credential stuffing. If you use the same password on multiple sites, one breach becomes access to all of them.
A password manager eliminates this risk by generating and storing a unique password for every account. Even if one site is breached, the credentials are useless everywhere else.
How Password Managers Work
You install the manager as an app and browser extension. When you create an account on a website, the manager generates a strong random password and saves it. When you return to that site, the manager fills in the credentials automatically.
All passwords are encrypted locally or in a secure cloud vault, protected by your master password. The manager cannot access your passwords, only you can, with the master password.
Choosing a Password Manager
| Manager | Cost | Key Features |
|---|---|---|
| Bitwarden | Free (premium $10/year) | Open source, independently audited, cross-platform |
| 1Password | $3/month | Polished apps, Travel Mode, family sharing |
| Dashlane | Free tier, paid plans | Dark web monitoring included |
| Apple Keychain | Free (built into Apple devices) | Seamless on Apple ecosystem, limited cross-platform |
| Google Password Manager | Free (built into Chrome/Android) | Convenient but limited to Google ecosystem |
For most people, Bitwarden (free) or 1Password (paid) offer the best combination of security and usability across all devices and browsers.
Setting Up Your Master Password
Your master password protects everything else. It must be:
- Long: 16 characters minimum. Length matters more than complexity.
- Unique: Not used anywhere else, ever.
- Memorable: You must be able to recall it without writing it in a digital file.
A passphrase, four or five random words strung together, is both strong and memorable. For example: "correct-horse-battery-staple" (this specific example has been published and should not be used, generate your own).
Write the master password on paper and store it in a secure physical location, a safe, a lockbox, or with a trusted person. Losing the master password with no backup means losing access to all stored passwords.
Setting Up Two-Factor Authentication on the Manager
Enable 2FA on your password manager account itself. Use an authenticator app rather than SMS. This means that even if someone obtains your master password, they still cannot access your vault without the second factor.
Migrating Existing Passwords
When you start using a manager, import or add your existing passwords. Most managers offer an import function that accepts CSV exports from browsers or other managers.
As you add passwords, use the manager's password generator to create new, unique passwords for your most important accounts: email, banking, social media. Work through other accounts over time, there is no need to do everything at once.
What Password Managers Cannot Do
- They cannot protect your master password if you share it or use it elsewhere
- They cannot prevent phishing, if you are on a fake website, the manager may not autofill (a useful signal), but you can still type credentials manually into a fake page
- They cannot replace good security habits, still check URLs before entering credentials