Technology · Security & sovereignty
Password Managers: The One Step That Actually Matters
A password manager is the biggest security lever you can pull alone. Selection criteria, setup steps, and the emergency kit you need when things go wrong.
By Boaz Lichtenstein

Most security advice competes for your attention – VPN, 2FA, encrypted chats. One single step beats them all: a password manager. It fixes, in one move, the problem behind most hacked accounts – before you even get around to any of the other measures.
Key takeaways
- Reused passwords are why a leak at an online shop can suddenly endanger your email account – a password manager makes reuse unnecessary.
- Choose by principle, not by brand name: zero-knowledge architecture, independent audits, full platform coverage, an open export function.
- Setup takes four or five steps in one afternoon – including the emergency kit that decides between access or data loss in a real emergency.
- A password manager also serves as the bridge to passkeys: they need to live somewhere secure, usually right in this vault.
- Browser storage beats having no manager at all, but a dedicated manager offers more platform independence, better audits and a real emergency kit.
Why the manager comes first
The single biggest lever in digital security is mundane: unique passwords everywhere. Reuse is why a leak at an online shop can suddenly endanger your email account – attackers automatically test leaked combinations against other services, a technique known as credential stuffing that’s completely powerless against unique passwords. A password manager makes reuse unnecessary, because it remembers every password for you and generates a new, random one whenever needed.
It’s also the bridge to the next stage: passkeys will eventually replace the password for good, but they need to live somewhere secure – usually right inside this same manager (see our passkeys article). Anyone setting up a password manager today is therefore building not just the current security layer, but pre-building the next one too.
Selection criteria, not brand names
Rather than a top-ten list, it’s worth looking at the principles every reputable provider should meet:
- Zero-knowledge architecture – encryption happens on your device, the provider only ever sees ciphertext, and your vault data stays unreadable even in a server breach.
- Independent audits – regular, published third-party security reviews, not just the provider’s own say-so.
- Platform coverage – the manager has to run on all your devices and browsers, or gaps reopen where old habits creep back in.
- Export function – you need to be able to get your data out in an open format at any time, so you’re not chained to one provider.
Brand names change, companies get bought, business models shift – choosing by these four criteria makes a decision that still holds up in five years’ time.
From experience: the most common reason people postpone the switch, despite knowing better, is the fear of hours of setup work. In reality, it’s enough to start with the four or five most important accounts – every other login migrates into the manager on its own, the next time you sign in somewhere and the extension asks whether it should save the new password. The complete move of all your old accounts happens this way, in the background, over a few weeks, not in a single evening.
Three types of password managers compared
| Type | Advantage | Drawback |
|---|---|---|
| Cloud password manager (dedicated) | Cross-platform, usually audited, emergency kit included | Requires trust in the provider, possible subscription costs |
| Browser-built-in | Free, instantly available, no setup | Tied to browser/ecosystem, less often independently audited |
| Self-hosted | Full data control, no subscription lock-in | Requires your own maintenance, updates and backups – see our self-hosting basics |
Worked example: what a data breach costs without a manager
A reused password feels convenient right up until it doesn’t. A single data theft at an online shop can lead to full account takeover if the same password is also used for your email account: from the email account, password-reset links can be requested for practically every other service. People affected often put the time needed to recover a hijacked primary email account at several days to weeks – contacting support, providing proof, locked-out access to linked services. Setting up a password manager, by contrast, costs a single afternoon and makes exactly this scenario structurally impossible, because no password is identical across services any more.
Setup in 5 steps
- Choose a master password: long (several random words rather than character soup), unique, used nowhere else.
- Build the emergency kit right away: print out recovery codes or the secret key, store them physically, separately – following the same principle as an off-site copy in our 3-2-1 backup article.
- Migrate the most important accounts first: email, banking, your primary Apple/Google account – the accounts through which everything else can be reset.
- Disable browser autofill, use the extension: so new logins land automatically in the manager instead of browser storage.
- Enable a second factor for the manager itself: the vault that unlocks everything deserves more protection than a single login – ideally via an authenticator app rather than SMS.
Browser storage versus a dedicated manager
Honestly: the password storage built into your browser beats having no manager at all. But it stays tied to one browser and usually one ecosystem, rarely offers audits at the same level, and makes moving to a different provider cumbersome. A dedicated manager costs a few extra minutes of setup – in exchange, you get cross-platform access, a real emergency kit, and an architecture built for exactly this one purpose. For anyone who also works over public networks on the move, it’s worth a combined look at our article on VPNs – password managers and VPNs close different but related security gaps.
The most common mistakes when starting out
- Using the master password elsewhere too. Fix: it needs to be the one password that exists nowhere else – after all, it protects every other one.
- Not building an emergency kit. Fix: print recovery codes right at setup, not only once access is already gone.
- Only storing new logins in the manager, leaving old passwords unchanged. Fix: actively migrate existing, old passwords and replace them with generated ones as you go.
- Leaving browser autofill running in parallel. Fix: disable it, or new logins end up stored twice and inconsistently.
- Leaving the manager itself unprotected. Fix: enable a second factor for vault access – it’s the single most valuable target in the whole setup.
The bottom line
A password manager is the rare security step that works immediately and then requires almost no further effort. In the end, what matters less is which provider or variant you choose than the simple fact that you use unique passwords at all – the shift from reusing to generating is the real leap. Unlike many other security measures, it doesn’t demand ongoing discipline: once set up, the manager generates and stores every new password automatically, with nothing for you to remember at the next login. Anyone who invests this one afternoon has to worry considerably less about most other account-security concerns.