Password Managers Explained

TL;DR

• A password manager is a small encrypted vault that stores all your passwords for you, locked behind one strong master password you actually remember.
• This is the only realistic way to follow the rule that matters most: a unique strong password on every account.
• "What if the password manager itself gets hacked?" — a fair question, and the honest answer is: even in the small number of times it has happened, well-designed vaults remained encrypted. Modern password managers are far safer than reuse-the-same-password habits.
• The right manager for you depends on three things: your devices, your willingness to pay a few euros a month, and whether you want it stored in someone's cloud or only on your own machines.
• You do not need to pay for the biggest brand. Several excellent options are free, and at least one of the most respected is fully open-source.

What it is

A password manager does three things every day:

1. Stores all your passwords — and notes, credit cards, addresses, ID numbers, recovery codes — in an encrypted vault on your devices.
2. Generates strong unique passwords for each new account you create, so you never have to invent one again.
3. Fills them in automatically in your browser and in your mobile apps, on the right site, so you don't type your bank password into a fake page that looks like your bank.

The vault is locked with one master password — the only one you need to remember. It is also usually protected by a second factor (a code, a fingerprint, a security key). If your laptop is stolen and the thief doesn't know your master password, the contents are useless to them.

Most managers also include a security health view: which of your passwords have appeared in known breaches, which are reused, which are weak. This is genuinely useful. Most people who turn it on discover they have a few accounts with the same password as their email from 2014.

Why this isn't optional anymore

The honest reason: humans cannot remember 80 unique strong passwords, and almost everyone has at least 80 accounts. The two options are:

• Reuse passwords. Eventually one of the websites you used loses its database (this happens hundreds of times a year). Your old password is then tried on every other site you might have used it on. This is how most non-targeted account compromise actually happens.
• Use a manager. One strong password you remember, plus one second factor, protects everything else.

There is no third option that scales.

How it actually works (in one paragraph)

Your master password is never sent to the manager's company. Instead, the master password is used on your own device to derive an encryption key. That key encrypts and decrypts the contents of the vault. The manager's cloud, if it has one, only sees encrypted blobs — gibberish, until your device decrypts them. This is called zero-knowledge design. It is the reason that a database leak of a well-designed manager does not equal an account leak of its users, provided the master password was strong.

What to look for

When you choose a manager, in order of importance:

1. Zero-knowledge architecture. The company should not be able to read your vault even if it wanted to. Every serious manager today is built this way; verify it on the company's security page before signing up.
2. Strong second factor for the vault itself. Most importantly: the option to use an authenticator app or a hardware security key — not only SMS.
3. Cross-device sync that you trust. Sync between your phone, computer, and tablet. If you prefer not to use a cloud, options that sync over your own storage exist.
4. Browser extensions and mobile autofill that actually work on the sites you use.
5. A clear export route. You should be able to leave at any time, taking your data with you in a standard format (CSV, JSON). Lock-in is a red flag.
6. Independent security audits. Look for "audit" or "penetration test" on the company's transparency page. The good managers publish theirs.

Honest comparison

Specific products, with their main trade-offs. No affiliate links, no preference paid for. This is the situation as of 2026, and these companies change their offerings often — verify current details on their own websites.

• Bitwarden. Free tier is generous (unlimited passwords, all devices). Paid tier (~€1/month) adds 2FA-code storage and security health reports. Open-source, audited, cross-platform. The default recommendation for most people because it asks nothing of you that closed-source alternatives ask. Self-hostable if you want to run your own server.
• 1Password. Polished, well-designed, family-friendly with shared vaults. Subscription only (€3–€6 per month depending on plan). Closed-source but with a long track record and strong audit history. Good travel features for those crossing borders.
• Apple Passwords (built into iOS, iPadOS, macOS). Free, integrated with the operating system. Works only in Apple's ecosystem; weak on Windows and Android. A reasonable choice for "Apple all the way" households, less so otherwise.
• Google Password Manager (built into Chrome and Android). Free, automatic. The lightest option, but tied to your Google account. Adequate for casual use; not the right choice as the single vault for someone serious about security.
• KeePassXC. Free, open-source, fully local — the vault is a file on your computer. You sync it yourself if you want (via your own cloud folder, or USB). Most technical option; preferred by people who don't want any company holding their encrypted data. Active community.
• Proton Pass. From the makers of Proton Mail. Free tier covers basics; paid bundles with their email and VPN. EU-jurisdiction. Newer, fewer years of track record than the others but maturing fast.

Avoid: managers from companies with histories of poor breach response or vague encryption claims. Read recent independent reviews — Wirecutter, PCMag, AV-TEST, c't magazin, Que Choisir, and national consumer-test organisations all run regular comparisons.

Getting started — the first hour

The hardest day of password-manager use is the first one. After that, it becomes invisible.

1. Pick a manager. Bitwarden is a safe default. If you live entirely in Apple's world, Apple Passwords is fine. If you don't want any cloud, KeePassXC.
2. Create the account, with a long master password. Four to six random words. Write it down on paper for the first month. You'll remember it after that.
3. Turn on 2FA on the manager's own account. This is the single account where SMS 2FA is not good enough — use an authenticator app or, ideally, a hardware key.
4. Install the browser extension and the mobile app on every device you use.
5. Don't migrate everything in one sitting. Let it learn your accounts as you sign in to them over the next two weeks. As you log in to each site, let the manager save the existing password, then immediately use its generator to replace that old password with a new strong one.
6. For email and bank first. Generate new strong passwords for these two accounts on day one. Everything else can wait.
7. Print the emergency recovery sheet — most managers offer one. Master password reminder hint, recovery key, the printed sheet goes in a safe place at home.

What about families?

Most paid managers offer family plans for ~€3–€5/month for several users. Each person has their own private vault; shared logins (the streaming subscription, the household utilities) live in a shared vault. This is much safer than emailing the Netflix password around. It also means that if one family member is compromised, the others' private vaults are unaffected.

For older relatives: helping a parent set up a manager is one of the most useful things you can do, especially if you also set up a recovery contact so you can help them regain access if needed.

What NOT to do

• Don't reuse the master password anywhere else. It is the one password that protects every other.
• Don't store the master password as a note in the manager itself. That sentence sounds absurd; people do it.
• Don't forget to back up. Whatever manager you use, know how to export. A KeePassXC user with one .kdbx file on one laptop is one disk failure away from disaster. Cloud sync or a copy in a different physical location handles this.
• Don't pick a manager because it has an aggressive ad campaign. Marketing budget doesn't make a vault safer.
• Don't dismiss the open-source options just because they look plain. Bitwarden and KeePassXC have nothing to apologise for. The polish on the others is paid for partly with subscription money and partly with marketing.
• Don't share master access by text or email. If you need to give an emergency contact access, use the manager's own emergency-access feature.

Use AI to help you

Choosing one for your situation:

"I'd like help choosing a password manager. Here are my constraints: devices [list], operating systems [list], whether I'm willing to pay [yes/no], whether I want my vault stored on someone else's server [yes/no], how technical I am [scale 1–10], and any family members I want to share with [describe]. Please recommend two options, one mainstream and one alternative, and explain the trade-offs in plain language."

Auditing an existing setup:

"I already use [name of password manager]. Help me audit my setup. Specifically: (a) is the master-password approach sound, (b) is my 2FA on the manager account itself strong enough, (c) what backup or recovery steps should I have in place that I might not have, and (d) what is one risk I am probably not thinking about?"

A reminder: AI may not know the current state of any specific product's pricing, features, or recent breaches. Verify on the company's own site and a recent independent review before committing.

Who to call

This is a setup topic, not a crisis one. But:

Find the latest contacts for your country with AI:

"I'm in [your country]. List the official sources I should consult before choosing or setting up a password manager — my country's national cybersecurity centre's current password-manager guidance, an independent consumer-test organisation that has recently compared managers in my language, the official support / status page of the manager I'm considering ([name] if I have one in mind), and the data-protection authority (for the rules on where my vault is stored and processed). For each, give the official website and what they specifically help with. Cite each source. Flag anything that might be outdated, and note any country-specific privacy considerations for cloud-stored vaults."

• The manager's official support if you are locked out — never trust a third-party "recovery service."
• A trusted technical friend or family member to help with the first hour if the interface is unfamiliar.
• National cybersecurity centres publish good free guides comparing options: NCSC UK, BSI für Bürger DE, BACS CH, INCIBE ES, ANSSI FR — all useful for a second opinion.

When to escalate beyond chat

• You have forgotten your master password and have no recovery option — most managers cannot recover it for you, by design. Some have an "emergency access" feature where a designated contact can help; otherwise, the vault may need to be reset and the contained accounts re-recovered one by one through their own recovery flows.
• The manager you use has announced a security incident — log in to the official site (not via the email link), read their detailed advisory, and change the master password immediately. Then change the passwords of your most critical accounts inside the vault (email and bank first). Watch for elevated phishing in the weeks following.
• You inherit a password manager from a deceased family member — most major managers have an inheritance / emergency-access process. Bring the death certificate, your relationship documentation, and contact official support; expect it to take weeks.

Related topics

• Passwords & Two-Factor — the broader framework that a password manager fits into.
• "I've Been Hacked" — what to do when an account not protected by a manager is compromised.
• "Your Data Was Leaked" — why "have I been pwned?" alerts matter once you have a manager that can show you reused-and-leaked entries.
• Phishing & Scam Emails — a password manager that auto-fills only on the real site is one of the strongest defences against phishing.

Sources & references (internal — not rendered to the live page):

• Stiftung Warentest, Que Choisir, Wirecutter, PCMag — annual password manager comparisons
• AV-TEST — periodic security audits of password manager apps
• Bitwarden, 1Password, KeePassXC — published security white papers and audit reports
• NIST SP 800-63B — guidance on password storage and recovery