Password Management Done Right
Why password managers are essential, how to choose one, and best practices for securing your digital life with strong, unique credentials.
The average person has over 100 online accounts. Without a password manager, you are almost certainly reusing passwords, using weak passwords, or both. Credential stuffing attacks — where attackers take email/password pairs leaked from one breach and try them on other services — are one of the most common and successful attack vectors on the internet. A password manager eliminates this risk by generating and storing a unique, random, strong password for every account.
How Password Managers Work
A password manager stores all of your credentials in an encrypted vault protected by a single master password. When you need to log in to a site, the password manager auto-fills your credentials. The vault is encrypted using a key derived from your master password — the password manager company never has access to your plaintext passwords. Modern password managers also generate random passwords, detect reused credentials, alert you to breaches, and support two-factor authentication codes.
Choosing a Password Manager
Not all password managers are created equal. Here are the key criteria to evaluate:
- Zero-knowledge architecture — the provider should never have access to your unencrypted vault. Verify this is stated explicitly in their security model.
- Open source — audit-ability matters. Bitwarden, KeePassXC, and Proton Pass are fully open source.
- Independent security audits — look for providers who publish results of third-party security audits.
- Cross-platform support — your password manager should work on every device and browser you use.
- Offline access — you should be able to access your vault even without an internet connection.
- Breach monitoring — alerts when credentials appear in known data breaches.
Recommended Options
- Bitwarden — open source, audited, excellent free tier, self-hostable (Vaultwarden). The best balance of security, usability, and cost for most people.
- KeePassXC — fully offline, open source, stores your vault as a local file. Maximum control, no cloud dependency. Requires manual syncing if you use multiple devices.
- Proton Pass — open source, integrated with the Proton ecosystem, includes email aliasing. Good if you already use Proton services.
- 1Password — excellent usability and family/team sharing, independently audited, but not open source.
Creating a Strong Master Password
Your master password is the single key protecting everything. It must be strong, memorable, and unique — used nowhere else. The most effective approach is a passphrase: a sequence of random words that is easy to remember but computationally infeasible to brute force.
# Generate a random passphrase using your password manager or dice:
# Example (6 words from a diceware list):
correct-horse-battery-staple-monsoon-algebra
# This is ~77 bits of entropy — enough to resist any known attack.
# Compare to a typical "strong" password:
# P@ssw0rd!23 — only ~30 bits of entropy, trivially crackable.
# You can also use: shuf -n6 /usr/share/dict/words | tr '\n' '-'
# (Remove trailing dash from output)Warning
Never store your master password digitally. Memorize it. If you must write it down during the memorization period, keep the paper in a physically secure location (a safe or locked drawer) and destroy it once the password is committed to memory.
Two-Factor Authentication (2FA)
A strong password is necessary but not sufficient. Enable two-factor authentication on every account that supports it, prioritizing your email, banking, and cloud storage accounts. Your email is especially critical because it is the recovery mechanism for almost every other account.
- Hardware security keys (YubiKey, SoloKey) are the strongest 2FA method. They are phishing-resistant because they verify the domain before responding.
- TOTP authenticator apps (Aegis on Android, Raivo on iOS, or your password manager's built-in TOTP) are the next best option. Avoid SMS-based 2FA if possible — SIM swap attacks make it the weakest common 2FA method.
- Store your 2FA recovery codes in your password manager (in the notes field of the relevant entry) or printed and stored securely offline.
- If your password manager supports TOTP, using it as both your password store and authenticator is convenient but creates a single point of failure. For highest security, keep 2FA in a separate app.
Password Hygiene Best Practices
- Use a unique, randomly generated password for every account — at least 16 characters for important accounts.
- Never share passwords via email, text, or messaging. Use your password manager's secure sharing feature if available.
- Run your password manager's breach/reuse audit regularly and rotate any flagged credentials.
- Use email aliases (SimpleLogin, addy.io) so that each account has a unique email address as well as a unique password.
- For accounts you no longer use, delete them rather than leaving dormant credentials exposed to future breaches.
Tip
Start today, not tomorrow. Export your browser's saved passwords, import them into a proper password manager, then delete them from the browser. Disable the browser's built-in password saving. This single migration dramatically improves your security posture.