Here’s an uncomfortable truth: if you’re using the same password on more than one site, it’s not a matter of if your accounts will be compromised — it’s when.

Data breaches happen constantly. The credentials stolen from one site get tested against every other site automatically. This is called credential stuffing, and it’s one of the most common ways people get hacked.

The fix is simple in theory and slightly annoying in practice: every account needs its own unique, complex password. The only practical way to manage that is a password manager.

What a password manager actually does

A password manager is an app that:

  1. Generates strong, random passwords for every site (e.g. X7mK#nQp2@vLr9)
  2. Stores them in an encrypted vault that only you can unlock
  3. Fills them in automatically when you visit a site

You only need to remember one password — the master password that opens the vault. Everything else is handled for you.

The most common objection: “What if the password manager gets hacked?”

It’s a fair question. The answer is that reputable password managers encrypt your vault before it leaves your device — they store encrypted data, not your actual passwords. Even if their servers are breached, attackers get scrambled data they can’t read without your master password.

This has been tested in practice. LastPass had a breach in 2022. Attackers got the encrypted vaults — but couldn’t read them without users’ master passwords. (LastPass has other issues we’ll get to, but this illustrates the security model.)

Which password manager should you use?

1Password — best overall

Clean apps, excellent browser integration, family sharing built-in. The vaults are end-to-end encrypted and they’ve never had a significant breach. Slightly more expensive but worth it.

🔑
1Password

The most polished password manager, with excellent family sharing and zero-knowledge encryption.

Try 1Password free →

Bitwarden — best free option

Open source, so the code has been reviewed by the security community. The free tier is genuinely usable (unlike most competitors). If you’re not ready to pay for a password manager, start here.

What about the built-in browser/phone password manager?

Apple Keychain and Google Password Manager are both decent and better than nothing. They fall short on cross-device flexibility (Apple’s doesn’t work well on Android or Windows) and don’t have the same auditing as dedicated tools.

Getting started — the painless approach

Don’t try to change all your passwords at once. Instead:

  1. Install a password manager and set a strong master password
  2. Start saving passwords as you log in to sites naturally
  3. When you log into a site, let the manager generate a new password and save it
  4. Over a few weeks, your important accounts will all be migrated

Focus on the most critical accounts first: email, banking, social media.

One more thing: turn on two-factor authentication

A password manager drastically reduces your risk, but combining it with two-factor authentication (2FA) means even a leaked password can’t unlock your account. Good password managers can store your 2FA codes too.

Staying secure doesn’t have to be complicated. A password manager and 2FA on your main accounts covers the vast majority of real-world threats.