If you’re reading this, you probably already have a suspicion that you should be using a password manager. You’re right. But before we get to which one you should use, it’s worth understanding why โ because the reasons are more urgent than most people realise.
The average person has over 100 online accounts. Most people use the same 3โ5 passwords across all of them. If any one of those services gets breached โ and thousands do every year โ every account sharing that password is immediately at risk.
This is not theoretical. It happens constantly, to ordinary people, and the consequences range from annoying (losing access to a streaming account) to genuinely damaging (bank account drained, identity stolen, years of credit history wrecked).
What a Password Manager Actually Does
Strip away the marketing and a password manager does three things:
- Generates strong, unique passwords for every account you create โ long, random strings that are impossible to guess and different for every site.
- Stores them in an encrypted vault that only you can open, using one master password you actually memorise.
- Fills them in automatically when you visit the site โ so you never have to remember or type them.
The result: every account has a different, unguessable password. A breach at one site exposes that one password โ and nothing else. You change that one password, move on. No cascade.
That’s the core value. Everything else โ breach monitoring, secure notes, family sharing, travel mode โ is a bonus.
What Happens If You Don’t Use One
Let’s be direct about the risk of the status quo.
Password reuse is the most common attack vector
Attackers don’t usually “hack” your specific account by breaking its encryption. They buy lists of username and password combinations leaked from previous breaches โ billions of these are freely available on the dark web โ and try them against other services automatically. This is called credential stuffing.
If you use the same password on a breached forum from 2019 and your email account, your email is already compromised. You just don’t know it yet.
Browser saved passwords are not the same thing
Chrome, Safari, and Firefox all offer to save your passwords. This is better than nothing โ but it’s not a password manager. Here’s why:
- They don’t generate strong passwords โ they save whatever you type, including weak ones.
- They’re tied to one browser โ switch browsers or devices and you lose access.
- No zero-knowledge encryption โ your passwords are accessible to Google or Apple under their terms, including in response to legal requests.
- No breach monitoring โ Chrome will warn you about some compromised passwords, but coverage is incomplete.
- No secure notes, payment cards, or document storage โ a password manager stores everything sensitive, not just login credentials.
Browser password saving is a starting point. A password manager is the real tool.
The maths of weak passwords
A 8-character password using letters and numbers has roughly 2.8 trillion possible combinations. Sounds like a lot. A modern GPU can test 10 billion combinations per second. That’s a cracked password in under five minutes.
A randomly generated 20-character password from a password manager has more combinations than there are atoms in the observable universe. It will not be cracked in your lifetime. Or anyone else’s.
The One Thing That Actually Matters: Your Master Password
Everything in a password manager is protected by your master password. This is the only password you need to memorise โ and it needs to be strong.
The failure mode that exposed LastPass users in 2022 was not a flaw in the encryption. It was users with weak master passwords. Attackers stole encrypted vault data โ and for users with short or common master passwords, those vaults could be cracked.
How to create a strong master password:
Use a passphrase โ four or more random words strung together. Something like “correct-horse-battery-staple” (don’t use that one specifically). Long, random, and actually memorable. Avoid:
- Your name, pet name, or any personal information
- Words from pop culture, song lyrics, or common phrases
- Any password you’ve used anywhere before
- Anything under 16 characters
Then enable two-factor authentication on your vault. This is the second most important thing you can do โ even if someone gets your master password, they still can’t open your vault without the second factor.
Which Password Manager Should You Use?
If you want the best free option: Bitwarden
Bitwarden’s free tier includes unlimited passwords across unlimited devices with full sync โ everything most people need. It’s open-source, meaning the code is publicly auditable by anyone. Independently audited by Cure53 in 2022 and 2024, both finding no critical vulnerabilities. You can self-host your entire vault on your own server if you want complete data sovereignty.
The premium tier at $19.80/year adds authenticator code (TOTP) storage and vault health reports. For most users the free tier is sufficient.
Best for: Anyone who wants full-featured password management at no cost, with the most transparent security architecture available.
If you want the best user experience: 1Password
1Password is the most polished password manager available โ consistently rated best-in-class for interface design across every platform. The Watchtower feature monitors for data breaches in real-time. Travel Mode lets you hide specified vaults entirely when crossing borders โ genuinely useful for frequent international travellers and journalists.
At $3.99/month for individuals and $4.99/month for families (up to 5 people), it’s more expensive than Bitwarden โ but the experience difference is real and worth it for users who value polish.
No free tier. 14-day trial available.
Best for: Anyone who prioritises experience over cost, families, and professionals who travel internationally.
If you want privacy-first: Proton Pass
Proton Pass is built by the team behind ProtonMail and governed by Swiss law. All client apps are open-source. In early 2026, Proton cut its price to $1.99/month โ making it the most aggressively priced privacy-focused option.
The standout feature is email alias generation โ when signing up for a new service, Proton Pass creates a throwaway email address that forwards to your real inbox. If that service leaks your data, you delete the alias and the problem is contained. Your real email address is never exposed.
Free tier includes 10 email aliases. Paid includes unlimited.
Best for: Privacy-conscious users who want Swiss-governed, open-source protection with email alias capabilities.
If you want a VPN bundled in: Dashlane
Dashlane is the only password manager that includes a VPN and dark web monitoring in its subscription. At $4.99/month, if you were planning to pay for both a password manager and a basic VPN separately, the bundle can represent savings.
Note: the bundled VPN (Hotspot Shield) is not the strongest privacy-focused option. If VPN privacy is important to you, pair Bitwarden with a dedicated VPN instead.
Free plan was discontinued in September 2025.
Best for: Users who want password management and a VPN in a single subscription.
If you want the cheapest premium option: NordPass
NordPass is from Nord Security โ the team behind NordVPN โ and uses XChaCha20 encryption, which is more modern than the AES-256 used by most competitors. Frequently on promotion at $1.59โ1.99/month, making it the most affordable premium password manager. A free tier is available, though limited to one active device at a time.
Best for: NordVPN users wanting a discounted bundle, or users who want modern encryption at a budget price.
What About Passkeys?
Passkeys are a newer authentication standard that replaces passwords entirely. Instead of typing a password, you authenticate using your device’s biometrics โ Face ID, Touch ID, or a fingerprint reader. The cryptographic key lives on your device and never travels over the internet.
Passkeys are phishing-resistant by design โ there’s nothing to steal, because the key never leaves your device. They’re faster and more convenient than passwords. As of 2026, they work across most major platforms and websites.
Do password managers still matter in a passkey world?
Yes โ for two reasons:
First, the transition will take years. Thousands of sites won’t support passkeys for a long time, and you’ll need passwords for those. A password manager handles the transition period seamlessly.
Second, password managers now store and sync passkeys too. All the major managers on this list โ 1Password, Bitwarden, Dashlane, Proton Pass, NordPass โ support passkey storage with cross-device sync. This solves one of the main passkey challenges: using a passkey created on your iPhone on a Windows device, or vice versa.
Think of a password manager as your credential manager โ passwords and passkeys alike. It remains the right tool regardless of which authentication method the site uses.
Common Objections โ Answered Honestly
“What if the password manager gets hacked?”
This is the most common concern, and it’s worth addressing directly. With a properly implemented zero-knowledge architecture, a breach of the password manager’s servers exposes only encrypted data โ not readable passwords. The provider literally cannot see your vault, even if they wanted to.
What matters is your master password strength. A strong master password (16+ characters, random) means your encrypted vault data is uncrackable even if it’s stolen. This is the lesson from the LastPass breach: the encryption held for users with strong master passwords. It failed for users with weak ones.
“I already use a strong password everywhere”
One strong password used on multiple sites is not meaningfully better than a weak one used on multiple sites. The risk is not someone guessing your password โ it’s your password being leaked from a site that gets breached. When that happens, the password is known in plaintext. How strong it was is irrelevant.
The only protection is a unique password per site. A password manager is the only realistic way to achieve this across 100+ accounts.
“My browser already saves my passwords”
Covered above โ browser saving is convenient but not equivalent. The key gaps are: no strong password generation by default, no zero-knowledge encryption, no cross-browser portability, no breach monitoring with complete coverage, and no storage for secure notes, payment cards, or documents.
“I’m not a target โ why would anyone hack me?”
Credential stuffing attacks are not targeted. They are automated systems that test billions of credential combinations against millions of accounts simultaneously. Everyone with an email address is a potential target. The question isn’t whether you’re interesting enough to be attacked โ it’s whether your credentials are in a leaked database somewhere (statistically, they are) and whether reusing passwords means that exposure leads to further damage.
How to Get Started in 15 Minutes
The most common reason people don’t use a password manager is that getting started feels overwhelming. It isn’t. Here’s the practical path:
- Download Bitwarden (free) or sign up for 1Password (14-day trial). Install the browser extension.
- Import your browser saved passwords. Both services have one-click importers. Go to your browser settings, export your saved passwords, and import the file. Done โ all your existing passwords are in the vault.
- Set a strong master password. Write it on paper and store it somewhere safe (a home safe, or a sealed envelope). This is your only point of failure.
- Enable two-factor authentication on your vault using an authenticator app. Takes three minutes.
- From now on: whenever you create a new account anywhere, let the password manager generate the password. You’ll never have to remember or type it โ the browser extension fills it in automatically.
- Over the next few weeks: when you log into sites you use regularly, let the password manager update those passwords to generated ones. You don’t need to update everything immediately.
The transition is gradual. Within a month, the vast majority of your important accounts will have unique generated passwords and you’ll have stopped thinking about it.
The Bottom Line
The question isn’t whether you need a password manager. You do. The question is which one fits your situation.
If budget is the priority: Bitwarden free.
If experience is the priority: 1Password.
If privacy is the priority: Proton Pass.
If you want everything bundled: Dashlane.
If you’re a NordVPN user: NordPass.
Whatever you choose, the most important thing is to start. Every week you spend without a password manager is another week where a breach at any one of your accounts creates a cascade of exposure across all the others.
The services above have all been tested hands-on. Pick one and set it up today. It takes less time than you think.