84% of people reuse passwords across multiple sites. That’s it. That single number from a 2023 Bitwarden survey changed how I think about online security. Not firewalls. Not VPNs. Not encryption algorithms. Just the plain fact that most of us use the same password over and over, everywhere we go online. Probably you do too. I did for years. And the consequences of that habit are worse than most people realize.
A password manager fixes this. One tool. One change. But picking the right one matters, and setting it up wrong can leave you almost as exposed as before. So this post covers all of it — why you need a password manager, which ones are worth your time, and how to actually get started without messing it up.
Why should I care about password reuse?
Because attackers count on it. Here’s what happens. Some random forum you signed up for back in 2019 gets breached. Happens all the time. Attackers grab your email and password from that breach, then they try the same combo on Gmail, your bank, Amazon, Dropbox, everything. This technique is called credential stuffing, and it’s responsible for billions of unauthorized login attempts every year. Billions. Not thousands.
If your password on that old forum was the same as your email password, you’re done. They’re in. And once someone’s in your email, they can reset passwords on pretty much anything else. Your email account is the skeleton key to your entire digital life.
The average person has somewhere between 70 and 100 online accounts. Some estimates push that closer to 200. No human brain can remember 200 unique, complex passwords. It’s not a discipline issue or a laziness issue. It’s just a limit of how memory works. That gap between what security demands and what our brains can handle — that’s exactly what password managers were built to close.
What does a password manager actually do?
You remember one strong master password. The manager handles everything else. It stores all your login credentials in an encrypted vault. It generates long, random, unique passwords for every site you use. When you visit a login page, it fills in your credentials automatically. It syncs across your phone, laptop, tablet, whatever devices you’ve got.
Many of them also store credit card numbers, secure notes, software licenses, API keys, passport info, and other sensitive data. So it’s not just a password tool. It’s more like a secure filing cabinet for anything you don’t want floating around in a text file or on a sticky note.
Encryption behind these tools is AES-256 — the same standard used by governments and military organizations. Your vault gets encrypted on your device before it ever touches a server. The password manager company can’t read your data. If someone broke into their servers, they’d get encrypted gibberish. Cracking that would take, from what I’ve seen in the math, longer than the age of the universe. At least with a strong master password. Weak master passwords are a different story, and we’ll get to that.
Didn’t LastPass get hacked? Isn’t that proof these things aren’t safe?
LastPass did get hacked. And it’s worth understanding what happened, because it shows why picking the right password manager matters.
In August 2022, LastPass said an attacker got into their development environment. They downplayed it at first. “No customer data was accessed.” Then in December 2022, they admitted that encrypted customer vault data had been stolen. The attacker copied backup data containing both encrypted vault contents and unencrypted metadata — things like which website URLs you had saved.
So even though passwords were encrypted, an attacker could see which sites you used. And if your master password was short or common, they could potentially brute-force the encryption. LastPass had allowed master passwords as short as 8 characters for older accounts and hadn’t forced those users to upgrade. Reports came out in 2023 about cryptocurrency wallets being drained. Researchers at MetaMask linked those thefts to stolen LastPass vault data. Over $35 million in crypto, gone.
But — and this matters — the encryption worked fine for people who had strong master passwords and current settings. LastPass failed in communication, in not enforcing stronger defaults sooner, and in leaving metadata unencrypted. It wasn’t a failure of password managers as a concept. It was a failure of one company’s choices. Other managers learned from it. Some had already avoided those mistakes in the first place.
Which password manager should I pick?
Two stand out. 1Password and Bitwarden. They cover different needs, different budgets, and different comfort levels with technology. I think most people will be happy with either one. Between them, they handle pretty much every use case I can think of.
I’ll also cover why the built-in browser password managers (Chrome, Safari, Firefox) aren’t quite enough on their own. And I’ll mention a few others briefly. But 1Password and Bitwarden are where I’d point someone I cared about.
What makes 1Password good?
1Password has been around since 2006. The apps are clean, consistent, and work on Mac, Windows, Linux, iOS, Android, and every major browser. User experience is the best in this space. If you’re setting up a password manager for a family member who calls you every time their printer jams, 1Password is probably the right call. It just works.
Watchtower is their built-in security monitoring feature. It checks your saved passwords against known breaches, flags weak or reused ones, identifies sites where you haven’t turned on two-factor authentication, and alerts you to sites still using insecure HTTP. Handy stuff. All automatic.
Then there’s the Secret Key. When you set up 1Password, it generates a 128-bit Secret Key that’s stored only on your devices. Your vault is encrypted using both your master password and this key. So even if someone got your encrypted vault data AND your master password, they still couldn’t decrypt anything without the Secret Key. This directly addresses the kind of attack that hurt LastPass users. It’s a meaningful layer of protection that most competitors don’t have.
Travel Mode is another one worth mentioning. You mark certain vaults as “safe for travel.” When you turn on Travel Mode, everything else gets removed from your devices. If you’re crossing a border and someone demands to see your phone, they only see what you’ve chosen to show. Turn it off later and everything comes back. Might seem niche, but for people who travel internationally, it matters.
Downside? It costs money. Individual plans are about $3 per month, family plans about $5 per month for up to five people. No free tier exists. For some people, that’s a dealbreaker. For me, it’s less than a coffee. But budgets are real, and there’s a great alternative for people who’d rather not pay.
What about Bitwarden?
Bitwarden is what I recommend when someone says they don’t want to pay for a password manager. Its free tier is genuinely good. Unlimited passwords, unlimited devices, sync across everything, browser extensions, mobile apps, desktop apps. Free. The premium tier is $10 per year — not per month, per year — and it adds advanced two-factor authentication options, encrypted file attachments, and emergency access.
The big difference with Bitwarden is that it’s open source. All the code is on GitHub. Security researchers can audit it. Independent experts can verify the encryption actually works as advertised. Bitwarden has also gone through multiple third-party security audits by firms like Cure53, and the results are public. I tend to trust “here’s the code, check for yourself” more than “trust us, it’s secure.” Could be wrong about that instinct, but it seems like a reasonable position.
Self-hosting is an option too, if you’re technically inclined. You can run your own Bitwarden server on your own hardware so your data never touches anyone else’s servers. Bitwarden provides an official Docker-based deployment for this. There’s also a community project called Vaultwarden — a lightweight alternative written in Rust that runs on something as small as a Raspberry Pi. I’ve done it. Works fine.
Where Bitwarden falls short compared to 1Password is polish. It’s not bad. But autofill can be quirky on certain sites. The apps feel more utilitarian. Password generator defaults are a bit conservative. These are minor complaints, and the team keeps improving things. Still, if you’re comparing side by side, 1Password feels more refined. For a technical person, Bitwarden is great. For your parents, 1Password might cause fewer phone calls.
Are the built-in browser password managers good enough?
Chrome, Safari, Firefox, and Edge all have built-in password managers now, and they’ve gotten decent. Chrome generates strong passwords, syncs them across devices via your Google account, and checks for breached credentials. Apple’s Keychain works smoothly within the Apple world. So why bother with a separate tool?
Lock-in. That’s the main issue. Chrome’s password manager is great if you use Chrome everywhere. Switch to Firefox, or use Safari for personal browsing and Chrome for work, and now your passwords are scattered across multiple systems. A dedicated password manager doesn’t care which browser you’re in. It works in all of them, on every platform.
There’s also a depth problem. Browser managers handle website logins. They’re not great at storing other kinds of sensitive info — software licenses, API keys, Wi-Fi passwords, passport numbers, insurance details. A proper password manager handles all of that. Sharing is limited too. Try securely sharing your Netflix password with your family through Chrome’s built-in manager. It’s awkward. Dedicated tools make this much easier.
How do I set up my password manager correctly?
Picking one is the easy part. Setup is where people trip. Here’s the process, step by step.
Master password. This is the one password you need to remember, and it needs to be strong. I’d suggest a passphrase — four or five random words strung together, maybe with a number or symbol mixed in. Something like “correct-horse-battery-staple” but not that exact phrase, because Randall Munroe made it famous years ago and it’s probably in every wordlist out there. Aim for at least 16 characters. Don’t use song lyrics, movie quotes, or anything connected to you personally. Write it down on paper. Store that paper somewhere safe — a fireproof safe, a safety deposit box, whatever you’ve got. Don’t put it in a digital file.
Two-factor authentication. Turn it on for your password manager account right away. Use an authenticator app like Authy or a hardware key like a YubiKey. Avoid SMS-based two-factor if you can. SIM-swapping attacks are real and surprisingly easy to pull off. In 2022, a teenager SIM-swapped T-Mobile employees and stole $20 million in cryptocurrency. Your phone number isn’t a reliable second factor.
Import your existing passwords. Export saved passwords from your browsers and import them into your new manager. Both 1Password and Bitwarden have import tools that handle CSV exports from Chrome, Firefox, Safari, and other managers. Once imported, clean up duplicates. Then — and this is the step people skip — delete saved passwords from your browsers and disable the built-in password saving feature. Having two password managers fighting over the same login field is a special kind of annoying.
What should I do after importing everything?
Brace yourself. Your password manager is going to show you how many passwords you’ve reused, how many are weak, and how many have shown up in known data breaches. Don’t panic. It’s normal. Grab a coffee, put on some music, and start working through them.
Prioritize in this order:
- Email accounts — These come first. If someone gets into your email, they can reset passwords on everything else. It’s the master key.
- Financial accounts — Banks, investment accounts, PayPal, Venmo, crypto exchanges. Anywhere money lives.
- Cloud storage — Google Drive, Dropbox, iCloud. These often hold sensitive documents, photos, and backups.
- Social media — Compromised social accounts get used for phishing, scams, and identity theft.
- Shopping sites — Amazon, eBay, and others with saved payment methods.
- Everything else — Work through the rest when you have time. Even low-priority sites matter because of credential stuffing.
For each account, generate a new random password with your password manager. I’d go for at least 20 characters — uppercase, lowercase, numbers, symbols. Since the manager remembers them, there’s no reason to keep them short. While you’re at it, turn on two-factor authentication on every account that supports it. The whole process might take a weekend. Maybe two. But when you’re done, your accounts will be in far better shape than most people’s.
How do I share passwords with family or a team?
Families share passwords. Teams share passwords. The question is how. Most households do it by texting passwords in plaintext, emailing them, or shouting them across the house. “What’s the Netflix password?” “FluffyBunny42, capital F, capital B!” Everyone within earshot now knows your Netflix login. Not ideal.
1Password’s family plan lets you create shared vaults. You can have a “Family” vault with streaming passwords, the Wi-Fi password, the alarm code, and other shared stuff, while keeping your personal vault completely separate. Bitwarden offers similar sharing through its Organizations feature — free for two users, paid plans for larger groups. Both let you control who sees what, and changes sync to all members instantly.
For one-off sharing with someone outside your plan, 1Password has a feature called Psst! that generates a temporary, expiring link to a specific item. Bitwarden Send does the same — share a password or secure note via a link that expires after a set time or number of views. Both are better than texting a password. By a lot.
What if the password manager itself gets hacked?
We covered the LastPass situation. A well-built password manager with strong encryption and a strong master password is still much more secure than reusing “Fluffy42!” on 80 websites. The question isn’t whether a password manager is perfectly secure. Nothing is. The question is whether it’s more secure than what you’re doing now. And it almost certainly is.
The “all eggs in one basket” worry comes up a lot. But think about it — if you’re reusing the same password everywhere, you’ve already got all your eggs in one basket. It’s just a basket with no lock. A password manager is a locked, encrypted basket. Yes, there’s a single point of failure. That’s why your master password and two-factor authentication matter so much. But concentrating your risk in one well-protected place beats spreading it thin across a hundred unprotected places.
What about just writing passwords in a notebook?
Honestly? Not the worst idea in the world. A physical notebook can’t be hacked remotely. Can’t be credential-stuffed. Can’t be phished. The problems are that it doesn’t generate strong passwords for you, doesn’t autofill, doesn’t sync across devices, and can be lost, stolen, or destroyed in a fire. But for someone who’s truly uncomfortable with technology and currently reusing the same weak password everywhere, a notebook with unique passwords is a real improvement. I’d still push them toward a password manager, but progress is progress.
What are passkeys, and do they replace password managers?
Passkeys are probably the biggest change coming to online authentication. They’re based on the FIDO2/WebAuthn standard, and they replace passwords with cryptographic key pairs. When you create a passkey for a site, your device generates a public key (sent to the website) and a private key (stored on your device, protected by biometrics or your device PIN). Logging in means using your fingerprint, face scan, or PIN. No password to remember. Nothing to type. Nothing to phish.
Google, Apple, Microsoft, Amazon, and a growing list of other companies already support passkeys. Both 1Password and Bitwarden can store and sync them. This matters because an early limitation of passkeys was device lock-in — an Apple passkey on your iPhone didn’t help on your Windows laptop. Password managers fix that by acting as a cross-platform passkey store.
But passkeys aren’t replacing passwords overnight. Thousands of sites still only support password-based login, and it’ll take years — maybe longer, hard to say — for the long tail to catch up. Right now, you need both. A password manager handles both. Think of it as a bridge between where things are and where they’re headed.
So what’s the short version?
If you can spend $3 a month (or $5 for a family): get 1Password. Best user experience available. Watchtower monitors your security automatically. The Secret Key architecture adds a real layer of protection beyond your master password. Apps are solid on every platform. Set it up and stop thinking about it.
If you want free, or you value open source, or you want to self-host: get Bitwarden. The free tier is better than many paid competitors. Premium at $10 a year is a bargain. Open-source codebase means real transparency. It’s what I use personally, though I’m the kind of person who runs their own mail server, so maybe don’t model your decisions on mine.
Don’t keep going without a password manager. Don’t keep reusing passwords. Don’t rely only on your browser’s built-in tool. The next big breach is always coming, and when it hits a service you use — when, not if — you’ll either be scrambling to change 80 passwords in a panic, or you’ll change one and move on with your day.
Passkeys will probably reshape all of this over the next few years. Password managers are already adapting to support them. Where exactly it all lands is anyone’s guess. Maybe passwords disappear entirely in a decade. Maybe they stick around way longer than anyone expects. We’ll see. For now, a password manager is the single best thing you can do for your online security. Pick one, set it up this weekend, and start the audit. And if you’ve got a sticky note with a password on your monitor right now — take it down.
(0) Comments