How to Use a Password Manager
A password manager remembers strong, unique passwords for every account so you do not have to. Here is how to set one up and actually use it day to day.
The average person has dozens of online accounts, and the only safe way to handle them is a unique, strong password for each — which is impossible to remember unaided. That is exactly the problem a password manager solves. It stores all your logins in an encrypted vault locked behind one master password, generates strong random passwords for new accounts, and fills them in automatically. CISA and other security agencies recommend password managers precisely because they make the secure choice the easy choice: you remember one good password, and the software handles the rest. This guide walks you from picking a manager through daily use, so you end up with a setup you will actually stick with.
Key takeaways
- One master password unlocks an encrypted vault of all your other passwords.
- Unique, generated passwords everywhere mean one breach can never cascade to your other accounts.
- Autofill saves time and blocks phishing — the manager only fills on the real site's address.
- Protect the master password with 2FA and never reuse it anywhere else.
Why you need a password manager
Password reuse is the root cause of most account takeovers. When one site is breached, attackers take the leaked email-and-password pairs and try them on banks, email, and shops — a technique called credential stuffing. If you reuse a password, that single breach unlocks multiple accounts. A password manager breaks the chain by giving every account a long, random, one-of-a-kind password you never have to memorize or type. It also acts as a quiet phishing shield: because it matches saved logins to the exact web address, it simply will not autofill on a look-alike scam site, which is a strong signal something is wrong.
Choosing a password manager
The best manager is one you will use across all your devices. Look for strong, audited encryption, support for your phones and computers, browser extensions, and a clear privacy track record. Built-in options from Apple, Google, and Microsoft are convenient and free if you live entirely in one ecosystem; dedicated cross-platform managers shine if you mix iPhone, Android, Windows, and Mac. Whatever you pick, the security model is the same: the vault is encrypted on your device with a key derived from your master password, so even the provider cannot read your data. For a deeper comparison of features and types, see our full password manager guide.
| Type | Best for | Trade-off |
|---|---|---|
| Built-in (Apple / Google / Microsoft) | Single-ecosystem users | Weaker cross-platform support |
| Dedicated cross-platform app | Mixed devices, families | May cost a subscription |
| Open-source self-hosted | Advanced, privacy-focused users | Requires more setup |
Creating your master password
Your master password is the one key to everything, so it deserves real thought. Make it long — a passphrase of several unrelated words is both strong and memorable, which aligns with NIST guidance favoring length over forced complexity. Never reuse it on any other site, never share it, and do not store it inside the very vault it protects. Write it down once and keep that note somewhere physically secure until it is memorized. Because everything depends on this password, enable two-factor authentication on the manager itself; our guide to setting up two-factor authentication walks through it.
There is usually no master-password reset. Because your vault is encrypted with a key derived from your master password, most managers genuinely cannot recover it for you if you forget it. That zero-knowledge design is great for security but means you must record your master password safely until it is firmly memorized.
Importing and adding your logins
You do not have to start from scratch. Most managers can import passwords your browser already saved, and accept a CSV export from another manager. Run the import, then turn off your browser's own password saving so you have a single source of truth. From here on, whenever you sign up for something new, let the manager generate a strong password — or use a standalone password generator — and save it to the vault. Over a few weeks, replace old reused passwords with generated ones, starting with your most important accounts. Many managers include a health report that flags weak, reused, or breached passwords so you know what to fix first.
Autofill and everyday use
Once the browser extension and mobile autofill are enabled, daily use is almost invisible: visit a site, and the manager offers to fill the matching login with a tap or click. On phones, turn on the system autofill setting (in iOS Passwords settings or Android's autofill service) so it works inside apps too. The first habit to build is to let the manager type for you rather than retyping passwords — this is both faster and safer, since the manager will not fill credentials on a mismatched address, helping you spot phishing automatically.
Use the secure notes too. Beyond passwords, vaults can safely hold 2FA recovery codes, software licenses, and Wi-Fi passwords. Keeping those encrypted in one place beats scattering them across notes apps and emails.
Sharing and staying safe
When you need to share a login — a streaming account with family, say — use the manager's secure sharing feature rather than texting the password in plain text. Shared items stay encrypted and can be revoked later. To stay safe long term: keep the master password unique and protected with 2FA, lock the vault when your device is idle, review the health report periodically, and be cautious of any prompt to enter your master password somewhere unexpected, which could be a phishing attempt. Pair this with broader account hygiene from our guides on protecting your privacy online and securing your home Wi-Fi.
Frequently asked questions
Is it safe to keep all my passwords in one place?
Yes, when done with a reputable manager. Your vault is encrypted on your device with a key derived from your master password, so even the provider cannot read it, and a single strong master password plus 2FA is far safer than reusing weak passwords across dozens of sites. The concentrated risk is real but small compared with the much larger risk password reuse creates.
What happens if I forget my master password?
Most password managers use a zero-knowledge design, meaning they cannot recover or reset your master password for you, because they never have the key to your vault. Some offer emergency-access or account-recovery options you must set up in advance. This is why you should record your master password somewhere physically safe until you have memorized it.
Are browser-built-in password managers good enough?
The built-in managers from Apple, Google, and Microsoft are genuinely secure and free, and far better than reusing passwords. They work best if all your devices are in one ecosystem. If you mix iPhone, Android, Windows, and Mac, or want features like secure sharing and detailed health reports, a dedicated cross-platform manager is usually more convenient.
Can a password manager protect me from phishing?
Partly, yes. Because a manager matches each saved login to the exact website address, it will not autofill your credentials on a look-alike phishing site. That failure to autofill is a useful warning sign. It does not replace caution, but combined with unique passwords and 2FA it significantly reduces the damage phishing can do.
Sources & further reading
- CISA — Use strong passwords and a password manager
- NIST SP 800-63B — Digital Identity Guidelines
- Apple Support — Password and security recommendations
This guide is independently produced. We reference primary documentation from device makers and security authorities (NIST, CISA). Tudug is reader-supported and may earn from ads.