← all guides
Tech

We take no money from any app. Nothing here is sponsored. We rank by public security audits, open-source status, and breach history, not by who pays.

Picking a password manager you can trust

Using a password manager at all is the big win. It is the difference between one reused password protecting your whole life and every account having its own strong, unique secret. Once you decide to use one, the question becomes trust: this is software you are handing every key you own.

The honest one-paragraph answer. Pick a password manager that is end-to-end encrypted, portable across devices, independently audited, honest about incidents, and easy enough that you will actually use it. Open-source managers score well on inspectability; local-vault tools score well on user control; polished paid managers may be worth it if they make security stick. LastPass deserves caution because its 2022 incident involved unauthorized access to cloud-stored backup data including customer vault data. But do not let perfection freeze you: reused passwords are the real floor.

Weigh what you care about

AxisWhat to look forWhy it matters
Unique passwordsGenerator and autofill that make every account differentCISA promotes strong, unique passwords and password managers as basic protection
Vault securityEnd-to-end encryption, strong local key derivation, clear architectureYour vault is the most sensitive file you own
TransparencyPublic audits, open-source code, or detailed security white papersTrust should be earned in the open
Incident historyBreaches disclosed quickly and handled with concrete stepsTrack record predicts how they will treat the next incident
MFA and recoveryStrong MFA, recovery codes, emergency access that you understandThe master password is central, but account takeover protection still matters

Secure the reset chain first

A password manager protects accounts, but some accounts protect the password manager. Start with the reset chain before trying to clean every login.

Reset-chain pieceFirst moveWhy it comes early
primary emailunique password, MFA, recovery codes, forwarding reviewit resets most other accounts
phone carrieraccount PIN and port-out protection where availablephone numbers are often recovery keys
password manager accountlong master passphrase and MFAit becomes the vault door
recovery codesoffline copy in a known placerecovery should not depend on the lost device
banking and cloud storageunique passwords, alerts, connected-app reviewmoney and identity documents raise the stakes

Once the reset chain is stable, importing and rotating old passwords becomes calmer. You are not just making passwords stronger; you are making account recovery less brittle.

Choose the vault shape by responsibility

Most password-manager debates mix together different jobs. Before comparing brands, decide what the vault has to be responsible for.

Your situationBetter vault shapeWhat to avoid
one person, many devicesaudited cloud manager with good export and MFAa tool that only works on one device you may lose
household or partner sharingfamily plan with separate personal and shared vaultsone shared login that makes accountability impossible
small team or nonprofitadmin controls, offboarding, recovery policy, and role-based sharingunmanaged spreadsheets, chat messages, or one founder's personal vault
high-risk public rolepassword manager plus phishing-resistant MFA for the reset chainassuming a strong vault fixes weak email or phone recovery
local-control preferencelocal vault with disciplined backups and tested synca local file with no recovery plan
leaving a breached or stale providerexport, import, rotate in risk order, then delete plaintext filestrying to rotate every account before securing email and banking

This framing keeps the choice practical. The best vault is not the most ideologically pure one; it is the one that reliably gives each account a unique secret, lets the right people recover access, and does not create a forgotten plaintext copy of everything.

A setup checklist

  1. Create a long master passphrase. It should be unique, memorable to you, and not reused anywhere else.
  2. Turn on multifactor authentication. Prefer phishing-resistant options where available; keep recovery codes somewhere you can actually find.
  3. Import, then clean. Bring in saved browser passwords, delete duplicates, and replace reused or weak passwords first.
  4. Prioritize account order. Email, banking, cloud storage, phone carrier, government accounts, work accounts, and the password manager itself come before low-risk forums.
  5. Practice recovery before crisis. Know what happens if your phone is lost, your laptop dies, or a family member needs emergency access.
  6. Export only deliberately. A vault export is sensitive plaintext unless protected. Delete temporary exports after migration.

Where passkeys fit

Passkeys are a useful upgrade, not a reason to stop caring about password managers. FIDO's passkey model uses public-key cryptography: the service keeps a public key, while your device, password manager, or security key keeps the private key. That makes passkeys much harder to phish than passwords, but the practical questions are still familiar: where is the credential stored, how does it sync, what happens if you lose a device, and can you leave the ecosystem later?

Sign-in patternGood forWatch out
Synced passkey in a password managerEveryday accounts that support passkeysRecovery and provider lock-in matter more
Passkey on a hardware security keyHigh-risk email, admin, finance, or public-interest accountsBuy a backup key and store recovery codes
Password plus MFASites that do not support passkeys yetKeep a unique random password in the manager
Browser or OS credential managerFast setup inside one ecosystemPortability can be weaker than a cross-platform manager

The sane default is not "passwords or passkeys." Use passkeys where they are available and recoverable, keep unique passwords for the long tail of accounts, and protect the email, cloud, and device accounts that can reset everything else.

Build a recovery packet without weakening the vault

The password manager is only as usable as your recovery plan. Create a small offline packet that explains how to recover access without exposing every password to everyday risk. It can include the manager name, recovery-code location, emergency-contact instructions, device-unlock guidance, and where a sealed master-passphrase backup lives if you choose to keep one. Store it somewhere boring and controlled, not in a cloud note called "passwords."

Recovery itemGood storage patternRisk to avoid
MFA recovery codesprinted or encrypted offline copycodes trapped only on the lost phone
emergency access instructionstrusted contact or estate documentfamily locked out during crisis
vault exporttemporary encrypted migration file onlyforgotten plaintext copy
master-passphrase backupsealed, physical, and deliberate if usedcasual duplication that defeats the vault

Recovery is not an afterthought. It is part of the security design, especially for households, small teams, caregivers, and anyone whose accounts other people may someday depend on.

Rotate in risk order

Account typeWhy it comes earlyExtra move
EmailResets many other accountsStrong MFA, recovery codes, review forwarding rules
Password managerHolds the vaultLong master passphrase, phishing-resistant MFA if available
Banking and paymentsDirect financial lossUnique password, app alerts, recovery phone check
Cloud storageIdentity documents and personal archivesReview shared links and connected apps
Phone carrierSMS recovery and number portingAccount PIN and port-out protection where available
Social accountsImpersonation and scam riskMFA, backup codes, connected-app cleanup
Work and schoolEmployer or institutional exposureFollow policy, do not mix personal recovery paths casually

You do not have to clean the whole internet in one heroic weekend. Fix the accounts that can reset other accounts, move money, expose documents, or impersonate you. Then let the password manager do its quiet work as old passwords surface.

Sharing without leaking

Families, partners, and small teams often share streaming, utilities, travel, medical portals, or emergency documents. Use the manager's sharing feature rather than text messages, screenshots, spreadsheets, or shared notes. Give each person their own account where possible, separate shared vaults from personal vaults, and decide who can recover access if someone loses a device or dies. Security advice gets real when other people depend on it.

What good looks like after thirty days

You do not need a perfect vault to be meaningfully safer. A strong first month looks like this: the primary email, phone carrier, bank, cloud storage, and password-manager account have unique passwords and MFA; recovery codes are stored somewhere offline; browser-saved duplicates have been cleaned up; shared household or team secrets have moved into shared vaults; and any migration export has been deleted or encrypted. After that, let the manager surface old weak passwords gradually instead of turning the cleanup into a heroic project that never starts.

The traps

  • "Military-grade encryption." Almost everyone says this. Architecture, audits, defaults, and incident response matter more than the slogan.
  • Browser-only lock-in. Built-in managers are a good start, but a dedicated portable manager can make it easier to leave one ecosystem.
  • Closed source equals bad. Not automatically. But closed products need stronger external audits and clearer explanations.
  • Weak master password. A password manager does not save you if the vault password is short, reused, or guessable.
  • Ignoring recovery. If you lose the master password and recovery method, you may lose the vault. Plan before panic.
  • Sharing by text. Family and team sharing should use the manager's sharing tools, not screenshots or chat messages.
  • Breach paralysis. A provider incident is serious, but staying with reused passwords forever is usually worse.
  • Plaintext export drift. Migration files are easy to forget and may contain every secret in one exposed file.
  • MFA trapped on one device. If your second factor dies with your phone, recovery can become the emergency.

A reasonable default

For most people, choose a reputable audited manager that works on every device you use, then protect it with a long unique master passphrase and multifactor authentication. If you are technical and want maximum local control, consider a local-vault approach. If you are moving away from a breached provider, rotate the passwords that matter most first: email, banking, cloud storage, password manager account, and anything that can reset other accounts.

Cloud vault, local vault, or ecosystem manager?

A cloud password manager is usually easiest across phones, laptops, and family accounts. A local-vault manager gives more control but demands better backup discipline. A browser or operating-system manager can be a good first step, especially if it gets someone away from reuse, but it can deepen ecosystem lock-in. The best choice is the one that produces unique passwords everywhere and that you can recover without making recovery itself the weak link.

Useful anchors: CISA strong password guidance, CISA multifactor authentication guidance, NIST SP 800-63B, NIST's Digital Identity Guidelines FAQ, FIDO Alliance Passkey Central, FTC Consumer Advice on protecting personal information, and LastPass's December 2022 incident notice.


Compare password managers on privacy, openness, and security record by your own weighting in the password-managers explorer.

Read next
Choosing an AI assistant, privately

AI assistants are becoming infrastructure. They sit between you and your questions, writing, code, research, plans, and sometimes work documents. That makes two questions worth ask…

Choosing biscuits without the tea-time fog

Biscuits and cookies are small enough to look harmless and engineered enough to disappear by the sleeve. The honest question is not whether a biscuit can be a health food. Usually …

Choosing body wash without clean-beauty fog

Body wash has a modest job: clean skin without making it angry. The aisle tries to make that job feel like aromatherapy, detox, luxury, microbiome repair, active sport recovery, or…