Picking a password manager you can trust
Using a password manager at all is the big win. It is the difference between one reused password protecting your whole life and every account having its own strong, unique secret. Once you decide to use one, the question becomes trust: this is software you are handing every key you own.
The honest one-paragraph answer. Pick a password manager that is end-to-end encrypted, portable across devices, independently audited, honest about incidents, and easy enough that you will actually use it. Open-source managers score well on inspectability; local-vault tools score well on user control; polished paid managers may be worth it if they make security stick. LastPass deserves caution because its 2022 incident involved unauthorized access to cloud-stored backup data including customer vault data. But do not let perfection freeze you: reused passwords are the real floor.
Weigh what you care about
| Axis | What to look for | Why it matters |
|---|---|---|
| Unique passwords | Generator and autofill that make every account different | CISA promotes strong, unique passwords and password managers as basic protection |
| Vault security | End-to-end encryption, strong local key derivation, clear architecture | Your vault is the most sensitive file you own |
| Transparency | Public audits, open-source code, or detailed security white papers | Trust should be earned in the open |
| Incident history | Breaches disclosed quickly and handled with concrete steps | Track record predicts how they will treat the next incident |
| MFA and recovery | Strong MFA, recovery codes, emergency access that you understand | The master password is central, but account takeover protection still matters |
Secure the reset chain first
A password manager protects accounts, but some accounts protect the password manager. Start with the reset chain before trying to clean every login.
| Reset-chain piece | First move | Why it comes early |
|---|---|---|
| primary email | unique password, MFA, recovery codes, forwarding review | it resets most other accounts |
| phone carrier | account PIN and port-out protection where available | phone numbers are often recovery keys |
| password manager account | long master passphrase and MFA | it becomes the vault door |
| recovery codes | offline copy in a known place | recovery should not depend on the lost device |
| banking and cloud storage | unique passwords, alerts, connected-app review | money and identity documents raise the stakes |
Once the reset chain is stable, importing and rotating old passwords becomes calmer. You are not just making passwords stronger; you are making account recovery less brittle.
Choose the vault shape by responsibility
Most password-manager debates mix together different jobs. Before comparing brands, decide what the vault has to be responsible for.
| Your situation | Better vault shape | What to avoid |
|---|---|---|
| one person, many devices | audited cloud manager with good export and MFA | a tool that only works on one device you may lose |
| household or partner sharing | family plan with separate personal and shared vaults | one shared login that makes accountability impossible |
| small team or nonprofit | admin controls, offboarding, recovery policy, and role-based sharing | unmanaged spreadsheets, chat messages, or one founder's personal vault |
| high-risk public role | password manager plus phishing-resistant MFA for the reset chain | assuming a strong vault fixes weak email or phone recovery |
| local-control preference | local vault with disciplined backups and tested sync | a local file with no recovery plan |
| leaving a breached or stale provider | export, import, rotate in risk order, then delete plaintext files | trying to rotate every account before securing email and banking |
This framing keeps the choice practical. The best vault is not the most ideologically pure one; it is the one that reliably gives each account a unique secret, lets the right people recover access, and does not create a forgotten plaintext copy of everything.
A setup checklist
- Create a long master passphrase. It should be unique, memorable to you, and not reused anywhere else.
- Turn on multifactor authentication. Prefer phishing-resistant options where available; keep recovery codes somewhere you can actually find.
- Import, then clean. Bring in saved browser passwords, delete duplicates, and replace reused or weak passwords first.
- Prioritize account order. Email, banking, cloud storage, phone carrier, government accounts, work accounts, and the password manager itself come before low-risk forums.
- Practice recovery before crisis. Know what happens if your phone is lost, your laptop dies, or a family member needs emergency access.
- Export only deliberately. A vault export is sensitive plaintext unless protected. Delete temporary exports after migration.
Where passkeys fit
Passkeys are a useful upgrade, not a reason to stop caring about password managers. FIDO's passkey model uses public-key cryptography: the service keeps a public key, while your device, password manager, or security key keeps the private key. That makes passkeys much harder to phish than passwords, but the practical questions are still familiar: where is the credential stored, how does it sync, what happens if you lose a device, and can you leave the ecosystem later?
| Sign-in pattern | Good for | Watch out |
|---|---|---|
| Synced passkey in a password manager | Everyday accounts that support passkeys | Recovery and provider lock-in matter more |
| Passkey on a hardware security key | High-risk email, admin, finance, or public-interest accounts | Buy a backup key and store recovery codes |
| Password plus MFA | Sites that do not support passkeys yet | Keep a unique random password in the manager |
| Browser or OS credential manager | Fast setup inside one ecosystem | Portability can be weaker than a cross-platform manager |
The sane default is not "passwords or passkeys." Use passkeys where they are available and recoverable, keep unique passwords for the long tail of accounts, and protect the email, cloud, and device accounts that can reset everything else.
Build a recovery packet without weakening the vault
The password manager is only as usable as your recovery plan. Create a small offline packet that explains how to recover access without exposing every password to everyday risk. It can include the manager name, recovery-code location, emergency-contact instructions, device-unlock guidance, and where a sealed master-passphrase backup lives if you choose to keep one. Store it somewhere boring and controlled, not in a cloud note called "passwords."
| Recovery item | Good storage pattern | Risk to avoid |
|---|---|---|
| MFA recovery codes | printed or encrypted offline copy | codes trapped only on the lost phone |
| emergency access instructions | trusted contact or estate document | family locked out during crisis |
| vault export | temporary encrypted migration file only | forgotten plaintext copy |
| master-passphrase backup | sealed, physical, and deliberate if used | casual duplication that defeats the vault |
Recovery is not an afterthought. It is part of the security design, especially for households, small teams, caregivers, and anyone whose accounts other people may someday depend on.
Rotate in risk order
| Account type | Why it comes early | Extra move |
|---|---|---|
| Resets many other accounts | Strong MFA, recovery codes, review forwarding rules | |
| Password manager | Holds the vault | Long master passphrase, phishing-resistant MFA if available |
| Banking and payments | Direct financial loss | Unique password, app alerts, recovery phone check |
| Cloud storage | Identity documents and personal archives | Review shared links and connected apps |
| Phone carrier | SMS recovery and number porting | Account PIN and port-out protection where available |
| Social accounts | Impersonation and scam risk | MFA, backup codes, connected-app cleanup |
| Work and school | Employer or institutional exposure | Follow policy, do not mix personal recovery paths casually |
You do not have to clean the whole internet in one heroic weekend. Fix the accounts that can reset other accounts, move money, expose documents, or impersonate you. Then let the password manager do its quiet work as old passwords surface.
Sharing without leaking
Families, partners, and small teams often share streaming, utilities, travel, medical portals, or emergency documents. Use the manager's sharing feature rather than text messages, screenshots, spreadsheets, or shared notes. Give each person their own account where possible, separate shared vaults from personal vaults, and decide who can recover access if someone loses a device or dies. Security advice gets real when other people depend on it.
What good looks like after thirty days
You do not need a perfect vault to be meaningfully safer. A strong first month looks like this: the primary email, phone carrier, bank, cloud storage, and password-manager account have unique passwords and MFA; recovery codes are stored somewhere offline; browser-saved duplicates have been cleaned up; shared household or team secrets have moved into shared vaults; and any migration export has been deleted or encrypted. After that, let the manager surface old weak passwords gradually instead of turning the cleanup into a heroic project that never starts.
The traps
- "Military-grade encryption." Almost everyone says this. Architecture, audits, defaults, and incident response matter more than the slogan.
- Browser-only lock-in. Built-in managers are a good start, but a dedicated portable manager can make it easier to leave one ecosystem.
- Closed source equals bad. Not automatically. But closed products need stronger external audits and clearer explanations.
- Weak master password. A password manager does not save you if the vault password is short, reused, or guessable.
- Ignoring recovery. If you lose the master password and recovery method, you may lose the vault. Plan before panic.
- Sharing by text. Family and team sharing should use the manager's sharing tools, not screenshots or chat messages.
- Breach paralysis. A provider incident is serious, but staying with reused passwords forever is usually worse.
- Plaintext export drift. Migration files are easy to forget and may contain every secret in one exposed file.
- MFA trapped on one device. If your second factor dies with your phone, recovery can become the emergency.
A reasonable default
For most people, choose a reputable audited manager that works on every device you use, then protect it with a long unique master passphrase and multifactor authentication. If you are technical and want maximum local control, consider a local-vault approach. If you are moving away from a breached provider, rotate the passwords that matter most first: email, banking, cloud storage, password manager account, and anything that can reset other accounts.
Cloud vault, local vault, or ecosystem manager?
A cloud password manager is usually easiest across phones, laptops, and family accounts. A local-vault manager gives more control but demands better backup discipline. A browser or operating-system manager can be a good first step, especially if it gets someone away from reuse, but it can deepen ecosystem lock-in. The best choice is the one that produces unique passwords everywhere and that you can recover without making recovery itself the weak link.
Useful anchors: CISA strong password guidance, CISA multifactor authentication guidance, NIST SP 800-63B, NIST's Digital Identity Guidelines FAQ, FIDO Alliance Passkey Central, FTC Consumer Advice on protecting personal information, and LastPass's December 2022 incident notice.
Compare password managers on privacy, openness, and security record by your own weighting in the password-managers explorer.