What is a password manager, and is it safe to use one?
Quick answer
A password manager is an app that generates a unique strong password for every account and remembers them for you behind one master password — yes, it is much safer than reusing the same password, even though all your passwords sit in one place.
What it's NOT
A password manager is NOT a single point of failure that ruins everything if it leaks. Reputable ones store an encrypted vault that even the company itself cannot read; a breach of the company does NOT mean attackers can read your passwords. The real risk is forgetting your master password or being phished into typing it on a fake page.
More context
A password manager is an app that does two things on your behalf: generate a long, unique password for every account you have, and remember those passwords so you do not have to. You unlock the app with one master password (and ideally a second factor), and after that everything else logs in automatically.
The reason this matters is simple: the single biggest cause of personal account takeover is password reuse. When one website you barely remember signing up to gets breached, attackers run the leaked email + password pairs against banks, email providers, and social networks. If you used that password anywhere else, the attacker is in. A password manager makes every password different, so a breach of one site cannot cascade.
How the “all eggs in one basket” objection actually works out:
- The vault is encrypted on your device before it ever leaves it. The password-manager company holds an encrypted blob; they cannot decrypt it without your master password.
- A breach of the company is not automatically a breach of your passwords. You have one master password to defend, not a hundred.
- The realistic ways people get burned are: a weak or reused master password, falling for a fake login page that captures the master password (so turn on two-factor authentication on the password manager itself), or losing access because the master password was forgotten and no recovery was set up.
Practical setup for an ordinary household:
- Pick one — 1Password, Bitwarden (free + open-source), Proton Pass, Dashlane, KeePass for the technically inclined. Avoid sketchy free apps from anonymous publishers.
- Choose a long passphrase as master password — four random words is plenty. Write it down on paper and store the paper in a safe place.
- Turn on two-factor authentication on the password manager itself.
- Import or save your existing passwords as you log in. Replace the reused ones first — your email account, your bank, anything financial.
- Set up a family/shared vault for household logins so you stop texting Wi-Fi keys.
Browser-built-in managers (Chrome, Safari, Firefox) are a valid starting point. The upgrade to a dedicated manager is mostly about cross-platform sharing, family vaults, and handling things that are not strictly websites (Wi-Fi keys, app passwords, secure notes). The important step is using any password manager rather than a list in a Notes app or — worse — the same password everywhere.
People also ask
What happens if my password manager gets hacked? +
Reputable password managers store your vault encrypted with your master password — they themselves cannot read it. If the company is breached, attackers get encrypted blobs they would have to brute-force one master password at a time. As long as your master password is long and unique (a passphrase like four random words is enough), the practical risk is very low. The famous 2022 LastPass breach is the cautionary tale: vaults were leaked but a strong master password protected most users; weak ones were cracked.
Should I use my browser's built-in password manager or a separate one? +
Chrome, Safari, Firefox and Edge all include decent built-in managers, and they are far better than reusing passwords. Their main limitations are: they live in your browser profile (sharing across devices is tied to your Google/Apple/Microsoft account), they handle non-web passwords (apps, Wi-Fi keys, software licenses) less well, and you have weaker control over export and migration. A dedicated manager (1Password, Bitwarden, Proton Pass, Dashlane, KeePass) is a small upgrade, not a different category.
What makes a strong master password? +
Length beats complexity. Four to six random unrelated words separated by spaces or dashes is dramatically stronger than 'P@ssw0rd!23' and much easier to remember. Never reuse your master password anywhere else. Write it down on paper and store it somewhere safe — a forgotten master password locks you out of everything.
Can I share passwords with family using a password manager? +
Yes, this is one of the best reasons to use one. Most family/team plans let you create a shared vault for things like the Netflix login, the home Wi-Fi key, or the bank card PIN. Sharing through the manager is safer than texting passwords or writing them on a sticky note, and you can revoke access cleanly when someone moves out, switches jobs, or leaves the household.
Also explained
What is two-factor authentication (2FA), and which kind should I use?
Two-factor authentication adds a second step after your password — a code from an app, a tap on your phone, or a passkey — so that a stolen password alone is no longer enough to log in; in 2026 the best option for most people is a passkey, then an authenticator app, then SMS only as a last resort.
What is phishing, and how do I recognise it?
Phishing is when someone sends you a fake message — usually email, SMS or chat — that looks like it comes from your bank, your boss, a delivery service or a friend, hoping you click a link, enter a password or transfer money before you notice the small details that give it away.
What is a data breach, and what do I do if my information is in one?
A data breach is when an organisation that holds your personal information loses control of it — your email, password, phone number, address, sometimes your credit-card or ID details end up in a leaked file that attackers download and reuse; the practical response is to change the password on that account, change it anywhere else you reused it, and turn on two-factor authentication.