Article
Password manager basics
A password manager solves three problems at once: you stop reusing passwords, you stop forgetting them, and you stop falling for fake sign-in pages. Used well it makes work easier; used badly it locks you out.
What It Does
The actual job of a password manager
Stores every login behind one master password
You remember one strong master password. The manager remembers everything else and fills it for you.
Generates strong, unique passwords
The manager creates a 20-character random password for every site so a breach at one site does not unlock the rest of your accounts.
Won't auto-fill on the wrong site
Password managers match by URL, so a fake "microsoft-login.evil.com" page will not get your password filled in. This catches more phishing than people realize.
Syncs between your devices
Sign in on your phone, your laptop, and your home computer; the same vault is on all of them.
Pick One
What to use
Use what your firm provides if it offers one
Many firms provide 1Password Business, Bitwarden Business, Keeper, or Dashlane. Use the work account for work passwords; that lets IT manage shared logins and recover access if you leave.
Built-in browser password managers count
Edge, Chrome, Safari, and Firefox all have built-in password managers tied to your browser sign-in. They are real and worth using if you do not want a separate app.
Personal recommendations: 1Password and Bitwarden
For personal use outside work, 1Password (paid) and Bitwarden (free or paid) are well-regarded.
Master Password
The one password you actually have to remember
Make it long, not complicated
Four random words ("correct horse battery staple") is stronger and easier to remember than "P@ssw0rd!1". Aim for 16 characters or more.
Don't reuse it anywhere else
The master password protects every other password. If it appears on any other site, the entire vault is at risk.
Write it down ONCE and store it safely
A handwritten copy in a locked drawer at home is better than losing access to your vault. A sticky note on the monitor is not.
Set up account recovery
Most password managers have a recovery key or emergency contact option. Set one up the day you create the account.
Daily Use
Habits that make it work
Let the manager fill, don't copy and paste
Auto-fill is what protects you from phishing. If you copy and paste, you can paste into a fake site without realizing.
Save new logins as you create them
The manager will offer to save when you sign up for a new site. Always say yes.
Use it on your phone too
Install the password manager app on your phone and enable autofill in settings. Otherwise you will end up using simpler passwords for mobile.
Run the security audit feature occasionally
Most password managers can scan for reused passwords, weak passwords, and accounts found in known breaches. Fix the worst ones first.
What Not To Do
Common mistakes
Don't store work passwords in personal browsers' built-in manager
If you save your work Microsoft 365 password to your personal Chrome profile signed into your personal Google account, those credentials are now in your personal account — usually a policy violation.
Don't share passwords by email or chat
Most password managers have a secure-sharing feature. Use that instead of emailing a password to a coworker.
Don't disable MFA because the manager remembers passwords
The manager replaces remembering passwords; MFA replaces trusting passwords. You still need both.