How to Use a Password Manager Safely

The Problem

Nobody can remember a different strong password for 50 accounts—so people reuse one, or keep a list in a notebook or phone notes. Both are risky. A password manager solves this properly: it stores all your logins in one encrypted vault, fills them in for you, and creates strong new ones on demand. You remember a single master password; it handles the rest.

What a Password Manager Actually Does

Think of it as a locked safe for your logins:

• Stores a unique password for every site, encrypted so only you can read it.
• Generates long, random passwords you never have to type or memorize.
• Fills them automatically when you visit a site or open an app.
• Syncs across your phone, tablet, and computer so your logins follow you.

Because it remembers everything, you're free to make each password as long and random as possible—the strongest kind, as covered in how to create strong passwords.

Choosing One

You have good options, and several are free:

• Built-in managers—Google Password Manager (Chrome/Android), iCloud Keychain (Apple), or Microsoft Edge's. These are convenient and fine for most people.
• Dedicated apps—Bitwarden (free and well-regarded), 1Password, or Dashlane. These work across every browser and device, not just one ecosystem.

If you only use Apple or only use Google devices, the built-in option is the easiest start. If you mix devices, a dedicated app travels better.

Step 1: Pick a Strong Master Password

This one password protects everything else, so it has to be both strong and unforgettable.

1. Use a long passphrase—four or more random words.
2. Never reuse it anywhere else.
3. Don't write it in your phone notes or email it to yourself.

If you forget the master password, most managers cannot recover it—that's the point of true encryption. Store a written copy somewhere safe at home, like a locked drawer.

Step 2: Import and Clean Up

When you first set it up, let the manager import the passwords already saved in your browser. Then do a quick audit:

1. Open the manager's security check (most have one).
2. It flags reused, weak, or breached passwords.
3. Work through the list, replacing the worst offenders with generated passwords—starting with your email and banking, just like in strong passwords.

You don't have to fix everything in one sitting. Change a few each time you log in to a site.

Step 3: Turn On Two-Factor Authentication

Your vault holds the keys to your whole digital life, so protect it with more than a password. Enable two-factor authentication on the password manager itself. Now even someone who learns your master password still can't open the vault without your phone.

Using It Safely Day to Day

A few habits keep your vault secure:

• Let it auto-fill—don't copy/paste sensitive passwords into random fields; auto-fill also helps you avoid phishing pages, because the manager won't fill a login on a fake look-alike domain.
• Lock the vault when you step away, especially on shared computers.
• Keep the app updated so you get the latest security fixes—see keep your devices updated safely.
• Be wary of unexpected master-password prompts. If your phone suddenly asks you to "re-enter" it out of nowhere, stop and check it's the real app.

Is It Really Safe to Put All Passwords in One Place?

It feels counterintuitive, but yes—a reputable password manager is far safer than reusing passwords or keeping a plaintext list. The vault is encrypted on your device before it's ever stored, so even the company can't read it. The realistic risk for most people isn't the manager being hacked; it's reused passwords and phishing, both of which a manager directly defends against.

Getting Started Today

1. Choose a manager (built-in or Bitwarden if you mix devices).
2. Set one long master passphrase and store a backup copy safely.
3. Import existing passwords and run the security check.
4. Turn on two-factor authentication for the vault.

Set it up once and your logins get stronger automatically from then on—no memorizing required.