Why you need one, even if your passwords are "fine"
The average person has somewhere between 70 and 130 online accounts, according to studies by security researchers at Virginia Tech and elsewhere that analyzed leaked credential datasets. Of those, the average person actively uses about 25. The rest are dormant but still hold personal data — your name, email, home address, purchase history, and sometimes payment methods. If even one of those dormant accounts is breached and the password is reused on a more important account, the cascade can reach your email, your bank, and your identity.
The math of unique passwords is brutal. A strong password that you can remember is one password. A unique strong password for each of 100 accounts is 100 passwords you cannot remember. The only ways to bridge this gap are writing them down (acceptable at home, awkward on a phone), reusing passwords (catastrophic), or using a password manager (the right answer). A password manager reduces the problem to remembering one strong master password and lets the software handle the rest.
A common objection is that you do not trust a single company with all your passwords. This concern is reasonable but usually mis-calibrated. The encrypted vault stored by a reputable password manager is dramatically harder to crack than the average person's reuse of three or four passwords across a hundred sites. The breach of a password manager vendor (LastPass had a serious incident in 2022) is bad, but the vault data is encrypted with a key derived from your master password, which the vendor does not have. Attackers who stole LastPass vaults still had to brute-force each master password individually, and users with strong master passwords were unaffected.
How password managers actually work
At their core, password managers do three things: generate strong random passwords, store them in an encrypted vault, and fill them into login forms on demand. The generation step is straightforward: the manager uses a cryptographically secure random number generator to produce a string of specified length from a chosen character set. The default is usually 16 to 20 characters of mixed case, digits, and symbols, which gives 100+ bits of entropy — far beyond what any human-chosen password achieves.
The storage step uses symmetric encryption, almost always AES-256 in an authenticated mode like GCM. The encryption key is derived from your master password using a key derivation function like PBKDF2 (with hundreds of thousands of iterations), scrypt, or Argon2. These functions are deliberately slow and memory-hard, so that brute-forcing the master password takes attacker time on the order of seconds per guess rather than the billions of guesses per second achievable against a fast hash. A strong master password (five or six random words) protects the vault even if an attacker obtains the encrypted file.
The autofill step is where the user experience lives. Most managers integrate with the browser and the operating system to detect when you are on a login page, look up the matching credentials, and offer to fill them. The matching is done by URL, which is also a security feature: a phishing site at paypa1.com will not match the credentials stored for paypal.com, so the manager will not autofill and the user is alerted that something is wrong. Some managers go further and warn when a stored URL has changed or when a site is known to be compromised.
Choosing between cloud, local, and self-hosted
The three categories of password manager differ in where the encrypted vault is stored and how it syncs across devices. Cloud-based managers (1Password, Bitwarden, Dashlane, LastPass) store the encrypted vault on the vendor's servers and sync automatically. The vendor never sees your master password or your decrypted data; they only see the encrypted blob. The advantage is convenience: vaults sync instantly, recovery of a lost device is straightforward, and the user does not have to manage infrastructure. The disadvantage is trust: you are trusting the vendor's security practices and availability.
Local managers (KeePass and its derivatives like KeePassXC) store the vault as a file on your device. You are responsible for syncing that file between devices, which you can do via a cloud storage service (Dropbox, Google Drive, your own Nextcloud) or not at all. The advantage is full control: no vendor has your vault, and the file format is open and well-documented so you are not locked in. The disadvantage is friction: syncing requires setup, conflicts can occur if two devices edit the vault simultaneously, and mobile access requires a separate app that can read the file from your cloud storage.
Self-hosted managers (Vaultwarden, a reimplementation of Bitwarden's server) run on infrastructure you control. You get the cloud-style sync experience without trusting a vendor, but you take on the operational burden of keeping the server updated, backed up, and secure. For most users, this is overkill; the security gain over a reputable cloud provider is small, and the operational risk of a misconfigured server is real. Self-hosting makes sense for organizations with existing infrastructure and a security team, not for individuals.
Setting up your vault the right way
The first decision is your master password. This is the one password you must remember, and it must be strong enough to resist offline brute force if your vault is ever stolen. Use the Diceware approach: five or six random words from a wordlist, no punctuation needed, easy to type and to remember. A six-word passphrase from the EFF 7,776-word list gives about 77 bits of entropy, which is more than enough to defeat any realistic offline attack against a modern key derivation function. Do not use a short complex password; the length matters more than the symbols.
Install the manager on every device you use: your phone, your laptop, your desktop, your work computer. Enable autofill in the browser extension or operating system integration. Then start the migration: open each account you care about, change the password to a generated one, and save it in the manager. Prioritize by sensitivity: email, bank, password manager recovery email, social media accounts that can be used to impersonate you, then everything else. Do not try to migrate all 100 accounts in one session; aim for the top 20 in the first weekend and chip away at the rest over a few weeks.
Set up multi-factor authentication on the manager itself and on every account that supports it. The manager supports it usually via a TOTP app (Google Authenticator, Authy, Aegis) or a hardware key (YubiKey, Titan). Hardware keys are stronger because they are immune to phishing, but a TOTP app is dramatically better than nothing and is the right starting point for most people. Store the recovery codes for your MFA in a secure location separate from your password vault — printed in a fireproof safe, or in a separate encrypted file with a different password.
Migrating without losing access
The risk during migration is locking yourself out of an account by changing its password and then losing access to the manager before the new password is saved. The mitigation is to keep the old password working until the new one is confirmed. Most services let you change the password while logged in, so the change takes effect immediately and you can verify the new password works before logging out. Save the new password in the manager first, then change it on the site, then verify the autofill works.
If you are migrating from one password manager to another, export from the old one and import into the new one. Most managers support CSV import and export, which loses some metadata (folders, tags, custom fields) but preserves the credentials. Some support encrypted direct migration tools; 1Password and Bitwarden both have importers for LastPass and several others. Do the migration on a trusted device on a trusted network, and delete the export file securely (not just trash it) when you are done.
Test your recovery path before you need it. Log out of the manager on one device, then go through the recovery process to confirm you can get back in. If recovery requires access to your email, make sure your email is independently accessible (e.g., on a device that is already logged in, or via a recovery code). If recovery requires a master password and you have forgotten it, you are out of luck — there is no backdoor. Write the master password down on paper, store it somewhere physically secure, and check on it every few months to make sure you still remember it.
Recovery and disaster planning
The single biggest risk with a password manager is losing the master password. Because the vault is encrypted with a key derived from that password, the vendor cannot recover it for you. If you forget it, the vault is gone. The mitigation is redundancy: write the master password down on paper, store it in at least two physically separate locations (home safe and a trusted relative's house, or a safe deposit box), and update the copies if you change it.
The second risk is losing access to your MFA device. If your phone is lost or stolen and your TOTP app was on it, you need the recovery codes you saved when you set up MFA. If you did not save them, you have to go through the vendor's account recovery process, which usually involves identity verification and a waiting period of days to weeks. Save the recovery codes. Test that they work.
The third risk is the vendor going out of business or shutting down the product. This has happened: Mitro shut down in 2015, PasswordBox was acquired and discontinued, and several smaller managers have disappeared. The mitigation is to choose a manager with a healthy business model and an export feature you have tested. If the manager is open source (Bitwarden, KeePass), the file format is documented and will be readable by other tools even if the original project ends. If the manager is closed source and the vendor disappears, you may have a window of days to export before the service goes offline. Periodically export a backup of your vault to a local encrypted file, just in case.