Your browser has been quietly saving your passwords for years. Every time you log into something and dismiss the “save password?” prompt with a quick click, or worse, accept it without thinking, you’ve been building a credential database inside a piece of software that connects to the internet all day, every day. Google Chrome’s password manager syncs your credentials to Google’s servers. Safari sends them to iCloud. Edge saves them to Microsoft’s cloud. These are all companies that have faced security incidents, government data requests, and major platform breaches in recent years.
The case for a dedicated password manager is not complicated. It is just easy to ignore until something goes wrong.
Why You’re Reusing Passwords (And What That Actually Costs You)
The average person manages somewhere between 70 and 100 online accounts. They typically use between 5 and 15 unique passwords across all of them, which means most accounts share a password with at least one other service. This is called credential stuffing vulnerability, and it is the reason data breaches keep snowballing. A company you never heard of gets breached, your email and password combination ends up on a dark web list, and an automated script tries that combination against your bank, your email provider, and your Amazon account. If the password matches anywhere, the script succeeds.
You can check how many times your email address appears in known data breaches at HaveIBeenPwned. Most people who check this for the first time find their email in at least three or four breaches. The site was built by security researcher Troy Hunt, and it indexes over 14 billion compromised accounts from hundreds of documented breaches. It’s free and takes about ten seconds to use.
What a Password Manager Actually Does
A password manager stores your credentials in an encrypted vault. The encryption happens on your device before anything leaves it. If the password manager company gets breached, the attackers get an encrypted blob that is useless without your master password, which the company never has. This is called zero-knowledge architecture, and it is the non-negotiable baseline for any password manager worth using.
The practical benefit is that you can use a different, randomly generated, genuinely complex password for every service you use, and you only have to remember one thing: the master password to your vault. The password manager fills in everything else automatically.
A good generated password looks like this: Xk9#mP2@vQ7!nL4r. You could not remember this. You do not need to. The password manager knows it. If that site gets breached and that specific password ends up on a list, it doesn’t matter, because it doesn’t work anywhere else.
The Options
Bitwarden is the recommendation for most people. It is open source, which means its security architecture has been reviewed by independent researchers who have no financial interest in making it look good. It has a free tier that covers every feature most people need. The premium plan costs $10 per year and adds things like hardware security key support and health reports. It works on every platform, including Linux, which matters if you’re the type of person who cares about this stuff enough to read an article about it. There is also a self-hosted option if you want to run your own server and never have your encrypted vault touch Bitwarden’s infrastructure at all.
1Password is the option for people who want something that feels more polished and are willing to pay for it. The interface is excellent. Family and team sharing features are well-implemented. The Travel Mode feature, which hides specific vaults when you’re crossing a border where you might be compelled to unlock your device, is genuinely thoughtful. It costs $3 per month for individuals or $5 for a family of five.
Proton Pass is worth knowing about if you’re already in the Proton ecosystem (ProtonMail, ProtonVPN). It’s open source, based in Switzerland under Swiss privacy law, and includes built-in email alias generation, which means you can give every website a different email address and shut down the alias if it starts getting spam. It integrates with the broader question of how much data you hand over to services you use in a way that the others don’t.
What to avoid: LastPass. The company had a major breach in 2022 that exposed encrypted vault data. Subsequent analysis showed that the encryption parameters for older accounts were weaker than advertised. The architectural response to the breach was not reassuring. The company has a long history of overpromising security guarantees and underdelivering on them. There are too many good alternatives to settle for a service with that track record.
The Setup Takes About 20 Minutes
Installing a password manager has a one-time friction cost that people consistently overestimate. Here’s the actual sequence: install the app, install the browser extension, create an account with a strong master password you write down and store somewhere physical, then go through your saved passwords in your browser and move them over. Bitwarden has an import tool that pulls directly from Chrome, Safari, and Firefox with one click.
After that, every time you log into something, the extension fills it in automatically. When you create a new account somewhere, it generates a strong password and saves it. The ongoing effort is effectively zero. The friction was all upfront, and it’s done.
The one thing people consistently procrastinate on is setting a recovery method. Write down your master password and put it somewhere physically secure. A fireproof box, a safe, with your important documents. If you lose access to your master password and have no recovery method, your vault is gone. This is not a hypothetical disaster scenario; it’s the logical consequence of zero-knowledge encryption. The company genuinely cannot help you. Write it down.
Two-Factor Authentication Is Also Required
A password manager is necessary but not sufficient. Two-factor authentication (2FA) adds a second layer: even if someone gets your password, they also need access to your phone or hardware key to log in. Every service that offers 2FA should have it enabled. Start with email, banking, and any service that stores payment information.
Avoid SMS-based 2FA where possible. Text message codes can be intercepted through SIM-swapping attacks, where someone convinces your mobile carrier that they are you and transfers your number to their SIM card. It’s more work for an attacker than having no 2FA at all, but it’s meaningfully weaker than an authenticator app.
App-based 2FA (Google Authenticator, Authy, or the built-in 2FA in Bitwarden or 1Password) generates codes on your device. Even if an attacker has your password, they need the device in your hand to generate the current code. The gadgets that security researchers use to probe systems don’t make this easy to bypass. Some rules exist for good reasons, even if they feel like extra friction at first.
The internet is full of bad advice about passwords. “Make them complex” led to P@ssw0rd1. “Change them every 90 days” led to P@ssw0rd2. A password manager sidesteps all of it. Different, random, unguessable credential for every site, remembered by software designed to remember things. That’s the whole solution. The technology has been mature for a decade. The only thing stopping most people is a 20-minute setup.
Sources: HaveIBeenPwned — Troy Hunt | Best Password Managers 2026, CyberInsider | Bitwarden open source audit reports
🐾 Visit the Pudgy Cat Shop for prints and cat-approved goodies, or find our illustrated books on Amazon.
