Password Manager Guide: Why and How to Use One
Nobody can remember a hundred unique passwords — so don’t. A password manager creates and stores them all behind a single master key. Here is how they work and how to start.
Security experts agree on remarkably little, but on this they are nearly unanimous: the best thing most people can do for their online security is to start using a password manager. It resolves the central contradiction of passwords — that you are told to use a long, unique, random password for every one of your hundred-odd accounts, which no human could possibly remember. A password manager remembers them for you, so you can finally follow the advice that actually keeps you safe.
Key takeaways
- A password manager generates and stores a different strong password for every site, so you never reuse one or have to remember it.
- You memorise just one master passphrase; it unlocks an encrypted vault protected by zero-knowledge encryption — even the provider can’t read your passwords.
- Built-in managers (iCloud Keychain, Google Password Manager) are free and convenient; dedicated apps add cross-platform sync and breach alerts — Bitwarden, for example, has a free tier.
- “All your eggs in one basket” is far safer than reuse: one well-guarded, encrypted basket beats the same weak password sprayed everywhere.
- Protect the vault with a strong, unique master passphrase and two-factor authentication.
The problem a password manager solves
The maths of modern life is impossible by hand. A typical person has well over a hundred online accounts, and good security demands a long, unique, random password for each. Nobody can memorise that, so people cope in insecure ways: they reuse one password everywhere, use slight variations a computer can guess, or keep a list in a notes file or on paper. Each of those shortcuts is exactly what attackers exploit.
A password manager removes the trade-off entirely. Instead of choosing between strong and memorable, you get both: the tool creates impossibly strong passwords and does the remembering. The FTC and CISA both point to password managers as a practical way for ordinary people to use strong, unique credentials across all their accounts. If you have not read it yet, our companion guide on creating strong passwords explains why length and uniqueness matter so much.
How a password manager works
Conceptually it is simple. Your passwords live in an encrypted file called a vault. That vault is locked with one master password (ideally a long passphrase) that only you know. When you need to log in somewhere, you unlock the vault and the manager fills in the right credentials automatically — on websites and in apps.
The security rests on two ideas. First, strong encryption: the vault is scrambled with industry-standard encryption (such as AES-256) derived from your master password, so the stored file is meaningless without it. Second, and crucially, zero-knowledge architecture: reputable managers encrypt and decrypt your data on your own device, so the company’s servers only ever hold an encrypted blob. They never have your master password and literally cannot read your passwords — which also means that if their servers are breached, attackers get scrambled data they cannot unlock.
Zero-knowledge, in plain terms: the provider stores your vault but holds no key to it. The encryption and decryption happen on your phone or laptop using your master password, which never leaves your device. The trade-off: if you forget your master password, no one — not even the provider — can recover it for you. That is the point.
Built-in vs dedicated managers
You have two broad choices, and either is vastly better than reusing passwords.
Built-in managers come free with your devices and browser. iCloud Keychain (Apple) and Google Password Manager (Chrome and Android) store and autofill passwords and increasingly passkeys, and they are excellent if you live mostly inside one ecosystem. Their limitation is portability — they work best within their own platform and browser.
Dedicated managers are standalone apps that work everywhere — across Windows, macOS, iOS, Android and every major browser. Examples in this category include Bitwarden (which offers a genuinely usable free tier) and 1Password, among others. They typically add features like robust cross-platform sync, secure sharing, breach monitoring and detailed organisation. These are mentioned only as well-known examples of the category, not endorsements; the right pick depends on your devices, budget and needs.
The features that matter
Beyond storing passwords, look for:
- Autofill across browsers and mobile apps — the feature that makes good security effortless day to day.
- A strong password generator built in, so every new account gets a unique random password. (Ours is free at the password generator.)
- Breach and weak-password alerts that flag reused, weak or leaked passwords so you can fix them.
- Secure notes for things like Wi-Fi passwords, software licences and your 2FA backup codes.
- Passkey support, so the manager can store and sync passkeys as logins move beyond passwords.
- Cross-device sync, so your vault is current on your phone, tablet and computer.
Is it safe to put all your eggs in one basket?
It is the most common worry, and the reassuring answer is yes — and it is far safer than the alternative. The alternative to one well-protected basket is not “many safe baskets”; it is the same weak password scattered across dozens of sites, any one of which can leak it. That is a single point of failure too, just a far more exposed one.
A reputable password manager is a deliberately hardened basket: your vault is end-to-end encrypted, the provider cannot read it, and you can lock it behind both a strong master passphrase and 2FA. Even if the provider is hacked — and it has happened — attackers obtain encrypted vaults that are useless without each user’s master password. With a long, unique master passphrase, your data stays safe. The concentrated risk is real but small and manageable; the diffuse risk of reuse is large and constant.
The one password you must get right. Because everything depends on it, your master passphrase has to be both very strong and one you will never forget — you cannot reset it. Make it a long passphrase of several random words, never use it anywhere else, and store your account’s recovery option (if offered) somewhere safe.
How to migrate to a password manager
Switching over is a one-evening job, and you do not have to fix everything at once.
Choose a manager and set a strong master passphrase
Pick a built-in or dedicated manager, create your account, and choose a long, unique master passphrase using the method in our strong-passwords guide. This is the one password you will memorise.
Import or capture your existing logins
Most managers can import passwords saved in your browser, or simply offer to save each login as you sign in over the following days. Let it capture them as you go — there is no need to enter a hundred at once.
Fix the weak and reused ones first
Use the manager’s security or health check to find reused, weak and breached passwords, then change those for fresh random ones — starting with email, banking and shopping. Generate the replacements with the built-in generator.
Turn on 2FA for the vault
Protect the vault itself with two-factor authentication, and save your backup codes in its secure notes. Now a single tool holds your whole login life, locked behind two strong layers.
Master-password best practice
Everything hinges on the master password, so treat it accordingly. Make it a long passphrase of four or more random words — long enough to resist cracking, memorable enough that you will never need to write it where others could find it. Never reuse it on any other site; it must be unique to the vault. Add two-factor authentication on the manager account so the vault needs a second factor as well as the passphrase.
With that in place, you have arguably the best security setup available to a non-expert: a unique, strong, random password on every account, the whole lot sealed in an encrypted vault, and that vault itself double-locked. Combine it with the wider habits in our guide to protecting your privacy online and you are ahead of the overwhelming majority of internet users.
Frequently asked questions
Are password managers safe to use?
Yes — reputable ones are among the safest tools in personal security. They store your passwords in a vault protected by strong encryption (such as AES-256) and use zero-knowledge architecture, meaning encryption happens on your device and the provider never sees your master password or your passwords. Even if the provider’s servers are breached, attackers get encrypted data they cannot unlock without your master passphrase. Using one is far safer than reusing passwords.
Is it risky to keep all my passwords in one place?
It is much less risky than the alternative. The realistic alternative to one encrypted vault is the same weak password reused across many sites — a far more exposed single point of failure. A password manager is a hardened basket: end-to-end encrypted, unreadable to the provider, and protected by your master passphrase plus two-factor authentication. The concentrated risk is small and manageable; reuse is a large, constant risk.
What happens if I forget my master password?
Because reputable managers use zero-knowledge encryption, the provider cannot read or reset your master password — that is precisely what keeps your vault private. If you forget it, you generally cannot recover the vault, though some services offer an account-recovery option you set up in advance. Choose a master passphrase that is both strong and memorable (several random words), never reuse it, and save any recovery option somewhere safe.
Should I use my browser's built-in password manager or a separate app?
Either is far better than reusing passwords. Built-in managers like iCloud Keychain and Google Password Manager are free and seamless within one ecosystem. Dedicated apps such as Bitwarden (which has a free tier) or 1Password work across every operating system and browser and add features like cross-platform sync, breach alerts and secure sharing. Pick based on how many different platforms you use and which extra features you want.
Is Bitwarden's free version actually usable?
Yes — Bitwarden is a well-known example of a dedicated manager whose free tier covers the essentials: unlimited password storage, a strong generator, and sync across your devices. It is mentioned here as an example of the category rather than an endorsement; several reputable managers offer free or paid tiers, and the best choice depends on your devices, budget and needs.
Do password managers work with passkeys?
Increasingly, yes. As logins move beyond passwords to passkeys — phishing-resistant credentials based on the FIDO2 standard — many password managers can now store and sync passkeys alongside your passwords, so you have one place for both. Built-in managers from Apple, Google and Microsoft also support passkeys natively across their devices.
Sources & further reading
- CISA — Use Strong Passwords (Secure Our World)
- FTC — Password Checklist (Consumer Advice)
- NIST — Digital Identity Guidelines, SP 800-63B
This guide is independently produced. We reference primary documentation from device makers and security authorities. Tudug is reader-supported and may earn from ads.
Related guides & tools
How to Create Strong Passwords
The principles behind every password your manager will store for you.
Read more →Two-Factor Authentication Explained
Add a second lock to your vault and your most important accounts.
Read more →