Password Manager Best Practices

Why a manager beats memorising

Humans recycle passwords; we can’t help it. A manager removes the temptation by generating unique 20+ character passwords for every site and filling them in for you.

Choosing one

Look for end-to-end encryption (the provider can’t read your vault), a recent third-party audit, and clear export options. Open-source options like Bitwarden are well-regarded; commercial options like 1Password offer polished interfaces and family plans.

Setting your master passphrase

Four to six unrelated words is easier to remember than a short string of symbols and just as strong. Don’t reuse the master passphrase anywhere else, ever.

Recovery planning

Store an encrypted backup of your vault, a paper copy of recovery codes in a safe, or designate an emergency contact within the app. Plan this on day one — not after you’ve been locked out.

Frequently asked questions

Is it safe to put all passwords in one place?

Yes, when the vault is end-to-end encrypted. The risk of password reuse is much greater than the risk of a well-built manager being breached.

Browser-built-in password managers — good enough?

Better than reuse, but dedicated managers offer cross-device sync, secure sharing, and stronger recovery.

What if the company goes out of business?

Export your vault periodically. Most managers offer encrypted exports.

Sources & further reading

We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.

• CISA — Cybersecurity & Infrastructure Security Agency ↗
• OWASP — Open Worldwide Application Security Project ↗
• NIST Cybersecurity Framework ↗
• Have I Been Pwned ↗

How we research: see our Source Policy and Review Methodology. If you spot an inaccuracy, please tell us — we publish corrections at the top of the affected article.

Related guides