Password Manager Guide — Why You Need One and How to Choose

A password manager stores all your passwords in an encrypted vault and auto-fills them on login pages. Instead of remembering dozens of passwords, you remember one strong master password. The manager generates and remembers unique, strong passwords for every site.

Use the Password Generator to create strong passwords for your accounts.

Why password managers are necessary

Password reuse is the #1 account security risk. When a site gets breached (and thousands are breached each year), attackers take the stolen credentials and try them on other sites. If you use P@ssw0rd on both your email and a gaming forum, and the forum gets breached, your email is compromised.

Human memory limits mean weak passwords. People tend to use simple, memorable passwords — or slight variations of the same password (password1, password2). Password managers make it practical to use 7kXq#mP9!vRt2LnW on every site.

Statistics on password breaches:

• 65% of people reuse passwords across sites
• 24 billion credentials were exposed in 2022 alone (Spycloud report)
• Credential stuffing (reusing stolen credentials) is the most common account takeover attack

How password managers work

Master password + key derivation

When you set up a password manager, your master password is never stored — not even in encrypted form. Instead:

1. Your master password is put through a key derivation function (PBKDF2, bcrypt, or Argon2) with a high iteration count
2. This produces an encryption key
3. The key encrypts your vault
4. The key is never transmitted to servers — only the encrypted vault

This means even if the password manager company is breached, attackers only get encrypted vault data they can’t read without your master password.

Zero-knowledge architecture

Most reputable password managers use zero-knowledge architecture: the company cannot decrypt your vault because they never receive your encryption key. Only your device, with your master password, can decrypt it.

Sync and devices

Your encrypted vault syncs to the cloud. On each device, the vault is downloaded and decrypted locally with your master password. The cloud server never sees decrypted data.

Key password manager features

Password generation: Creates random, high-entropy passwords meeting any site’s requirements (length, character sets, no ambiguous characters).

Auto-fill: Detects login pages and fills credentials automatically. Better managers also fill multi-page login forms.

Breach monitoring: Monitors services like Have I Been Pwned and alerts you when your stored credentials appear in known data breaches.

Secure notes: Store other sensitive data (SSH keys, software licenses, bank account numbers) in the same encrypted vault.

Password health report: Identifies weak, reused, or old passwords you should update.

TOTP (2FA) storage: Some managers store TOTP secrets and generate one-time codes in-app (though this creates a single-point dependency).

Password manager comparison

Bitwarden is the recommendation for most users: free, open-source (independently audited), and has all features of paid competitors.

Setting up a password manager

1. Choose a strong master password

Your master password must be:

• Long: 16+ characters
• Memorable: use a passphrase (4–5 random words)
• Never used elsewhere
• Never written down digitally

Good passphrase: correct-horse-battery-staple
Better with numbers: correct-horse-7-battery-staple

2. Import existing passwords

Most managers import from:

• Browser saved passwords (Chrome, Firefox, Safari)
• CSV export from other password managers
• Manual entry

3. Install browser extensions and mobile apps

Auto-fill only works reliably with browser extensions. Install on all browsers you use.

4. Enable two-factor authentication

Add 2FA to your password manager account itself — this adds a second layer if your master password is somehow compromised.

5. Replace weak and reused passwords

Use the password health report to identify passwords to update. Start with the most important accounts: email, bank, primary social media.

Generating passwords properly

When creating a new account or updating a password, use the manager to generate a unique password:

Recommended settings:
- Length: 20+ characters
- Include: uppercase, lowercase, numbers, symbols
- Exclude: ambiguous characters (0, O, l, 1, I) for human-readable contexts
- No character repetition: Yes

Generated example: 7kXq#mP9!vRt2LnW

Use the Password Generator for one-off password generation.

Emergency access

Set up emergency access for trusted contacts in case you’re incapacitated:

1. Designate a trusted contact in your password manager
2. They can request access and must wait a set period (e.g., 7 days)
3. You can deny the request during this period
4. If you don’t respond, they gain access

This ensures family members can access critical accounts in emergencies while giving you time to deny unauthorized requests.

Related tools

• Password Generator — generate strong random passwords
• Generate Strong Password — password strength guide
• Password Strength Checker — analyze password strength