Password Managers: What They Are and Why You Probably Need One¶
A password manager solves the one problem that undermines almost every other security measure: humans are terrible at passwords, and the modern internet makes good passwords impossible to manage without help.
π The Basics¶
What It Is¶
A password manager is software that generates strong, unique passwords for every account you have and stores them in an encrypted vault. You remember one thing, typically your master password, and the manager handles every credential for every service you use. Most include browser extensions that autofill your credentials automatically when you visit a site, and mobile apps that do the same on your phone.
The vault is encrypted on your device before anything is synced anywhere. With reputable managers using a zero-knowledge architecture, the company's servers hold only encrypted data they cannot read.
How It Works¶
The core problem password managers solve isn't laziness. It's math.
An 8-character password, even with numbers and symbols, can be cracked by modern hardware in hours. A 16-character random password takes thousands of years with current tech. But the reality is no human can memorize a unique 16-character random string for every account they have. The rational response to this situation has been password reuse, where people use the same passwords everywhere, but this is one of the most dangerous things you can do online.
That's because of credential stuffing: when attackers take credentials from one breach and automatically try them against thousands of other services. If you reused that password on your bank, your email, your work accounts, one breach cascades into total exposure.
A password manager breaks the cycle. Every account gets a different, randomly generated password. A breach with one service exposes only one credential, which is useless anywhere else. This keeps data breaches well-contained.
How Your Vault is Protected¶
With most services, your vault is encrypted using your master passwordβmore specifically a derived version of it. The manager runs your master password through a key derivation function (modern standards use Argon2id) that's deliberately slow and computationally expensive, making brute-force attacks on a stolen vault significantly harder. The vault is encrypted before it ever leaves your device, so a proper zero-knowledge provider can't access your passwords.
This is why the strength of your master password matters. It should be long, random, and used nowhere else.
graph TD
A["π Your Master Password"] --> B["βοΈ Key Derivation Function<br/>(e.g., Argon2id)"]
B --> C["ποΈ Encryption Key"]
C --> D["π Encrypted Vault<br/>AES-256"]
D --> E["βοΈ Synced to provider's servers as encrypted ciphertext only"]
E --> F["What the provider sees:<br/>[Xk39#mQ!vL2@... gibberish]"]
E --> G["What you see:<br/>proton.me | henry@... | p@ssw0rd123"]Diagram: Your master password passes through a key derivation function to produce an encryption key, which locks your vault before it syncs. The provider's servers hold only unreadable ciphertext.
Cloud Sync vs. Local-Only¶
Most mainstream password managers sync your vault via their servers. These are convenient, automatic between your devices, and still secure if the zero-knowledge architecture is implemented correctly. The encrypted vault on their servers is useless without your master password.
But for people who don't want any cloud involvement, local-only managers store your vault as a file that lives entirely on your devices. You control where it lives and how it's backed up. The tradeoff is that syncing across devices becomes a process you manage yourself, but for users who want full control it's a solid option. I'll cover tips for local syncing later in this article.
Browser Extensions and Autofill¶
A browser extension is what helps make a password manager practical. When you visit a site, the extension detects the login form and fills your credentials, or prompts you to save new credentials when you create an account. The extension also serves as a phishing defense since it matches credentials to the exact domain they were saved for. If you're on a fake site impersonating your bank, the extension won't autofill, because the domain doesn't match.
Other Tools Password Managers Can Offer¶
Password managers have slowly become full security solutions with more than just basic password management, including features like:
- Breach monitoring alerts you when an account's credentials appear in known data breaches.
- Emergency access features let a designated trusted person request vault access after a waiting period you define, useful for estate planning or family emergencies.
- Secure notes let you store recovery codes, license keys, or other text that needs to be protected but doesn't fit the username-password format.
- Email aliasing allows you to automatically generate unique emails that forward to your regular email inbox for every account.
Some people want their password manager to be a focused piece of software, but others enjoy the extra usability provided.
What If I Forget My Master Password?¶
This question comes up a lot, and the answer is the same across every reputable zero-knowledge service: if you forget your master password, the provider cannot recover it for you. That's the whole point of zero-knowledge encryption, the company doesn't have a copy. Some managers offer optional recovery mechanisms (emergency access by a trusted contact, biometric unlock on a logged-in device, account recovery via a printed code), but none of them work by giving the provider a backdoor to your vault.
The practical implication is you need to assume you'll forget it. When you first create the master password, write it down on physical paper and store it somewhere secure like a safe, a sealed envelope with important documents, etc. Most managers also generate a "recovery key" or "emergency kit" during setup. Print it and store it the same way.
Take it seriously the day you set it up; you'll be relieved you did the day you need it.
π― Why It Matters¶
In December 2022, LastPass disclosed that attackers had stolen encrypted copies of its users' password vaults. The breach happened in stages: attackers first compromised a developer's laptop. After some movement, they were later able to access the company's encrypted cloud backups from every user's vault. By early 2026, blockchain investigators had traced at least $35 million in cryptocurrency thefts to brute-force attacks on those stolen vaults.
This story isn't an argument against password managers. It's an argument for understanding what makes one trustworthy. LastPass's failures were specific: poor internal security hygiene, unencrypted metadata in vaults (website URLs, email addresses, and company names were all exposed in plaintext), and inadequate separation between developer environments and production secrets. Better-designed services handle each of these differently. Open-source code that can be independently inspected, regular third-party audits, and zero-knowledge architectures where even the provider can't read vault contents are meaningful distinctions.
The best password manager is the secure one you'll actually use consistently on all your devices. Picking one, migrating your most important accounts first, everything else over time, then enabling 2FA on the vault itself covers the majority of meaningful improvement for most people. From there, you can evolve your security to add all remaining services, introduce more secure passwords for each one, add stronger 2FA, passkeys, and more!
π‘ Common Misconceptions¶
"Cloud-synced password managers aren't safe."¶
While keeping it strictly offline is generally the safest option, a well-implemented cloud manager uses zero-knowledge encryption, so your vault is encrypted on your device before it reaches their servers. For most threat models, the convenience of easy sync across devices is worth more than the marginal additional risk surface. Don't let "should it be local-only?" debates keep you from starting at all.
"Browser extensions are too risky to use."¶
Extensions do add attack surface. They also provide one of the strongest anti-phishing signals available to a normal user since the extension won't autofill on a domain it didn't save credentials for. For many people, that anti-phishing benefit outweighs the extra surface, but higher-risk threat models can use a manager without the extension and copy/paste manually.
"If I can't use the 'best' option, I should use nothing."¶
Any password manager that generates unique, strong passwords for every account is dramatically better than reusing the same few passwords across the internet. Apple Passwords, Google's built-in manager, and Firefox's built-in manager are all valid starting points if you're not yet using anything. Get on something. Upgrade later.
"Picking a manager locks me in forever."¶
Every reputable, open-source password manager has a proper export and import. Migration is a real-but-small project. Pick something, start using it, and switch later if you outgrow it. The decision is reversible.
"What about 2FA and passkeys?"¶
Password managers are one piece of a broader account security picture. Two-factor authentication and passkeys are closely related topics worth understanding alongside them. See the Two-Factor Authentication and Passkeys articles for more.
π£οΈ Henry's Take¶
The most important thing I can share about password managers is also the most boring one: any password manager is almost always better than no password manager. I've seen people spend weeks comparing audit dates, key derivation functions, and architecture diagramsβwhile still logging into twenty sites with the same password they made up in college. That's the actual emergency. The gap between no manager and any reputable manager generating strong unique passwords is enormous. The gap between two reputable managers is comparatively small.
I use Proton Pass, the sync works consistently across every OS, I love the UI, and the SimpleLogin integration handles my aliasing in the same place. I migrated from KeePass, which I also loved, but managing a database file across machines was always a small amount of friction that eventually wore me down. If you're a KeePass user who wants to stick with it, clients that sync natively via a mainstream cloud provider work well (the vault is encrypted, so the cloud provider doesn't need to be trusted), or you can keep it fully offline and sync with Syncthing.
The advice I'd give a family member at dinner: pick anything that generates strong, unique passwords for every account. Apple Passwords if you're in the Apple ecosystem, Bitwarden if you're cross-platform, a notebook if you're old-school. Strong and unique is what matters for most people.
β Henry's Picks¶
These are managers I've actually used and migrated between.
- Proton Pass: What I use. Zero-knowledge architecture, open-source apps, consistent cross-platform sync, and integrated email aliasing.
- Bitwarden: Open source, audited regularly, generous free tier. The safe default if you want the most widely supported recommendation and aren't already in a specific ecosystem.
- KeePass (with optional Syncthing for sync): Local-only, no servers, no business model. Best fit if you want full infrastructure control and don't mind each client on each OS having its own quirks.
- Apple Passwords (built into iOS/macOS): A valid starting point for anyone deep in the Apple ecosystem who would otherwise not use a manager at all. Generates strong passwords, syncs through iCloud Keychain, and is everywhere on your devices.
For higher-risk threat models that want a separate authenticator for 2FA, see the Two-Factor Authentication article.
See the broader recommendation set at Techlore's SPA Tools.
π Go Deeper¶
Related wiki articles:
Techlore content:
- Go Incognito v2, Lesson 3.2βPasswords
External sources:
- Bitwarden Security Audits (published)
- Have I Been Pwnedβcheck if your accounts have been breached
- Verizon Data Breach Investigations Report (annual credential stuffing data)
Found an error? Report it here β