Password Manager Basics
Choose and configure a password manager for better security hygiene
Who This Guide Is For
This guide is for anyone who reuses passwords, forgets passwords, or stores them in insecure places (sticky notes, text files, browser autofill). A password manager solves these problems by generating strong unique passwords for every account and storing them encrypted. You remember one master password; the manager handles the rest.
Why Use a Password Manager?
Problem 1: Password Reuse
Most people use the same password across multiple sites. When one site is breached, attackers try those credentials on other services ("credential stuffing"). One breach compromises all your accounts. Password managers eliminate reuse by generating unique passwords for every site.
Problem 2: Weak Passwords
Memorable passwords ("Summer2024!") are weak. Strong passwords ("X7$mQ2#pL9@nR4wT") are impossible to remember for dozens of accounts. Password managers generate and store strong random passwords— you don't need to remember them.
Problem 3: Insecure Storage
Storing passwords in browsers, text files, or sticky notes is insecure. Malware can steal browser-stored passwords easily. Password managers encrypt your credentials with a master password, protecting them even if your device is compromised.
The Tradeoff
Choosing a Password Manager
Cloud-Based Managers (1Password, Bitwarden, Dashlane)
These services sync your passwords across devices via encrypted cloud storage. They offer convenience (access anywhere) but require trusting the provider's security and infrastructure.
Best for: Most users who want seamless cross-device sync and don't mind cloud storage.
Recommendations: Bitwarden (open source, affordable), 1Password (user-friendly, strong reputation).
Local-Only Managers (KeePass, KeePassXC)
These tools store your password database locally as an encrypted file. You control where the file lives (local disk, USB drive, self-hosted sync). No cloud dependency, but you manage backups and sync yourself.
Best for: Privacy-conscious users who want full control and don't need automatic sync.
Recommendations: KeePassXC (modern, cross-platform), KeePass (Windows, widely audited).
Browser Built-In Managers (Chrome, Firefox, Edge)
Convenient but less secure than dedicated password managers. Browser-stored passwords are easier to extract via malware, and sync ties you to one browser ecosystem.
Best for: Casual users who won't adopt a dedicated tool. Better than reusing passwords, but not ideal for high-security needs.
Setting Up Your Password Manager
Step 1: Choose and Install
Pick a password manager based on your needs (cloud sync vs local control). Download from the official website and verify checksums. See our guide: How to Verify Checksums.
Step 2: Create a Strong Master Password
Your master password unlocks all other passwords. It must be strong and memorable. Recommendations:
- Use 16+ characters
- Combine 4-6 random words (Diceware method): "correct horse battery staple lamppost volcano"
- Avoid personal information (names, birthdays)
- Never reuse an existing password
Write it down initially and store it securely (physical safe) until memorized. Gradually practice typing it until it becomes muscle memory.
Step 3: Enable Two-Factor Authentication
Most password managers support 2FA (TOTP apps, hardware keys). Enable this for your password manager account. If someone steals your master password, 2FA prevents account access without your phone or hardware key.
Step 4: Import Existing Passwords
Most managers can import from browsers or other password managers. After importing, audit entries: delete duplicates, remove unused accounts, update weak passwords.
Step 5: Generate New Passwords for Important Accounts
Start with critical accounts (email, banking, work). Use the manager's password generator to create strong unique passwords. Update each account and save the new password in the manager.
Daily Usage Best Practices
Practice 1: Use the Password Generator
Never create passwords manually. Let the manager generate random 16-20 character passwords with mixed case, numbers, and symbols. You'll never type them—the manager autofills.
Practice 2: Lock When Not in Use
Configure your password manager to lock after 5-10 minutes of inactivity or when the screen locks. An unlocked password manager on an unattended computer is a security risk.
Practice 3: Avoid Storing in Plain Text
Don't keep a backup text file of passwords "just in case." If you need emergency access, use the manager's export feature to create encrypted backups or store recovery codes in an offline vault.
Practice 4: Review Weak and Reused Passwords
Most managers audit your passwords and flag weak, reused, or compromised ones. Quarterly, review this report and update flagged passwords.
Common Mistakes in the Real World
Mistake 1: Weak Master Password
Your master password is the single point of failure. "Password123!" defeats the entire system. Invest time in creating a strong, memorable passphrase. This is the one password worth memorizing.
Mistake 2: No Recovery Plan
If you forget your master password, you lose access to all accounts. Most managers can't recover it (encryption is real). Store a recovery key or emergency access token in a safe place (physical safe, trusted family member).
Mistake 3: Not Using Unique Passwords
Some people adopt a password manager but continue reusing passwords "for convenience." This defeats the purpose. Commit to unique passwords for every account.
Mistake 4: Ignoring Browser Extension Security
Password manager browser extensions are convenient but can be targeted by malicious websites. Keep your browser updated, enable extension security features, and avoid using managers on public/untrusted computers.
Password Manager Checklist
- □ Choose a password manager (cloud-based or local-only)
- □ Download from official source and verify checksum
- □ Create a strong master password (16+ characters, Diceware recommended)
- □ Enable two-factor authentication on your password manager account
- □ Import existing passwords from browsers and other managers
- □ Update critical accounts with strong unique generated passwords
- □ Configure auto-lock after inactivity
- □ Store recovery key or emergency access token securely
- □ Quarterly audit: review weak, reused, and compromised passwords
Frequently Asked Questions
Is it safe to store all passwords in one place?
Yes, if you use a strong master password and enable 2FA. The risk of reusing weak passwords across sites is far greater than the risk of a properly secured password manager being compromised.
What if the password manager company is breached?
Reputable managers use zero-knowledge encryption: they store encrypted data but never see your master password. Even if breached, attackers get encrypted vaults they can't decrypt without your master password.
Can I share passwords with family or team members?
Most managers offer secure sharing features. Use these instead of sending passwords via email or text. Each user should have their own master password; shared passwords are stored in a shared vault.
Should I change my passwords regularly?
Not necessarily. Frequent password changes (without reason) lead to weaker passwords. Change passwords when breached, when an account is compromised, or when leaving a job. Otherwise, strong unique passwords don't need regular rotation.
What about browser-suggested passwords?
They're better than reused weak passwords, but dedicated password managers offer better security, cross-browser sync, auditing features, and more control.
How do I recover if I forget my master password?
Most managers cannot recover your master password (by design). Use recovery options if available (emergency contact, backup codes). This is why storing a recovery key in an offline vault is wise.
Next Steps
Improve your password security further:
- Offline Vault Workflow — Store master password in air-gapped vault
- Windows Encryption Basics — Protect password database on disk
- Avoiding Trojanised Installers — Safely download password managers