How to choose a password manager that protects your accounts

By Boris Dzhingarov

A password manager is the most useful security tool that most people still ignore, and choosing the right one takes more thought than installing whatever sits at the top of a search result. The job it does is simple to describe: it generates long random passwords, stores them behind one master password, and fills them in at sign-in. The value is real. So are the trade-offs, and the gap between a strong product and a weak one is wider than the marketing lets on.

Most account takeovers do not begin with a clever hack. They begin with a password reused across sites, then exposed in a breach somewhere else. Attackers take those leaked email and password pairs and try them against other services, an approach called credential stuffing. When every account has its own unique password, that attack has nothing to work with.

What a password manager does

A password manager holds an encrypted vault of a person’s logins. The vault opens with one master password, ideally backed by a second factor, and the software handles everything after that: creating new passwords, saving them, and autofilling them on the correct site. Because there are no longer dozens of logins to remember, each one can be long and random, which is what current guidance asks for.

That shift in guidance is worth stating plainly. The latest NIST digital identity guidelines dropped the old rules about forced character mixing and scheduled resets, and put the emphasis on length and on screening new passwords against lists of known breached credentials. A password manager is what makes that advice usable, since no one is going to memorise a separate 20-character string for every account they own.

Why reused passwords are the real problem

Password reuse is the weak point attackers count on. One service gets breached, the stolen credentials get sold or dumped, and the same email and password combination is tried across banking, email, and shopping accounts. This is why security agencies now treat unique passwords as a baseline rather than a nicety. CISA lists using a password manager as one of a handful of core actions that individuals and businesses should take, because it makes unique passwords the default instead of a chore.

There is a second reason reuse is dangerous. An email account is usually the master key to everything else, since it can reset the password on almost any other service. When that one password is shared with a site that later leaks it, the damage spreads fast. Locking email behind a unique password and two-factor authentication is the highest-value change most people can make.

What to look for in a password manager

Not every product deserves trust, and the differences are practical rather than cosmetic. A few things separate serious options from the rest:

  • Published security architecture. The provider should explain how the vault is encrypted and confirm a zero-knowledge model, meaning the company cannot read stored passwords even if it wanted to.
  • Independent audits. Regular third-party security audits, published rather than merely promised, are a good sign.
  • Strong master password and clear recovery. The tool should allow a long passphrase and offer a recovery method that is easy to understand, such as a printed recovery key or a trusted device.
  • Multi-factor authentication on the vault itself. The login to the manager should support an authenticator app or a hardware key, not only SMS.
  • Cross-platform support. Apps and browser extensions should cover every device in use, since a manager that will not run on a phone will not get used.
  • A clear business model. Free tiers are fine, but the way the company makes money matters, along with whether the free plan restricts syncing or storage.

Established providers such as 1Password meet most of these on paper, with published audits and a zero-knowledge design, though the same checklist applies to any name under consideration, including open-source tools and the managers built into browsers. The point is to judge the product against the list, not the advertising.

The risks a password manager does not remove

A password manager reduces risk. It does not erase it, and pretending otherwise helps no one.

Putting every password in one vault concentrates the stakes. If the master password is weak or reused, the vault is only as safe as that single secret. The LastPass incident disclosed in 2022, where attackers obtained backup copies of encrypted customer vaults, showed why this matters: for accounts with a short or common master password, offline cracking became a real threat once the encrypted data was in attacker hands. A long master password that lives nowhere else is the defence.

Cloud sync adds convenience and a little exposure, since the encrypted data travels across the internet and sits on a server the user does not control. For most people that trade is worth it. Anyone with a higher risk profile can consider a manager that stores the vault locally instead. Autofill can also be tricked by fake login pages in some designs, so a tool that only fills credentials on the exact matching domain is safer than one that fills anywhere.

None of this argues against using a password manager. It argues for choosing one carefully and setting it up with a strong master password and a second factor.

Setting up a password manager safely

The setup decides how much protection the tool delivers. The master password should be one that has never been used anywhere else, built as a long passphrase of several unrelated words rather than a short complex string. Multi-factor authentication for the vault should go on immediately. The recovery key belongs somewhere physical and secure. From there, the sensible order is to work through accounts starting with email and banking, letting the manager replace each old password with a fresh generated one. The process is slow for the first week and effortless after that.

Frequently asked questions

Is a password manager safe to use?

For nearly everyone, yes. A reputable password manager with a zero-knowledge design keeps the vault encrypted so the provider cannot read it, and the risk of using one is far lower than the risk of reusing passwords across sites. The main condition is a strong, unique master password that is not used anywhere else.

Are browser password managers good enough?

The managers built into browsers have improved and are a real step up from reusing passwords. They tend to offer weaker support across different ecosystems and fewer sharing and audit features than dedicated tools. For basic personal use they are acceptable. For anyone managing many accounts or business logins, a dedicated manager is the stronger choice.

What happens if the master password is forgotten?

That depends on the product. Zero-knowledge managers usually cannot reset a master password, since they never hold it, which is why recovery keys and trusted-device recovery exist. Recovery should be set up when the manager is first installed, with the recovery key stored offline. Losing both the master password and the recovery method can mean losing the vault.

Is a paid password manager worth it over a free one?

Sometimes, not always. Good free options exist, including strong open-source tools. Paid plans usually add unlimited device sync, secure sharing, breach monitoring, and family or team management. A free plan that covers the devices and features in question is a legitimate choice. Paying makes sense when the extra sync or sharing is needed, not out of habit.