Using a password manager is one of the top safety practices recommended by security experts. Yet only 39 percent of consumers use one, according to a recent Consumer Reports survey. Instead, many people use and reuse a small number of passwords they’ve memorized.
One reason may be that the nuts and bolts of setting up a password manager can feel daunting. You might be wondering how to start, where your passwords will be stored, and how to share them with a spouse or other family member. We’ll get to all of that, but first, here are a few details to get you oriented.
More on Digital Security
CR's Password Manager Ratings
1Password Is the Best Password Manager in Consumer Reports' New Ratings
Why It's Smart to Use Authentication Apps for Multifactor Security
What to Do If Your Instagram Account Gets Hacked
CR Security Planner
A password manager is a service that helps you generate and store long, unique passwords for all of your online accounts. That’s important, because using weak passwords, or the same passwords on multiple accounts, makes you more susceptible to identity theft and other crimes. You can also use a password manager to store PINs, credit card numbers and CVV codes, answers to security questions, and more.
An alternative is to have a web browser generate and store your passwords. That works up to a point, but it doesn’t operate across browsers and devices, and it doesn’t allow you to easily share passwords with family members. Password managers can handle all that and do it securely.
Having all of your passwords stored on one company’s servers can seem risky. But the information is protected by strong end-to-end encryption. That means not even the password manager company can see it. Beyond that, companies usually hire third-party firms to audit their products and make sure they’re safe.
First, Pick a Password Manager
Consumer Reports evaluates password managers based on three broad criteria: privacy, security, and ease of use. We use many separate tests and diagnostic tools to take an in-depth look at everything, including each password manager’s resistance to known hacking techniques, whether they collect user data for their own marketing purposes, and whether they have features that flag passwords you’re using if they have been discovered in a data breach.
1Password is the only password manager that earns Excellent scores in all three areas, but we also recommend several others that receive Overall Scores of Very Good. These include Bitwarden, Dashlane, and Keeper, which have free and paid options.
The free options are more limited in features. For example, Bitwarden’s free password manager options don’t include the paid version’s feature that identifies weak or reused passwords.Keeper’s free version lets you generate passwords on your mobile device but doesn’t give you desktop, web vault, or browser extension access, and it doesn’t auto-fill passwords on your behalf. And Dashlane’s free version allows you to store up to 50 passwords, but only on a single device.
1Password doesn’t have a free version, but it offers a free 14-day trial.
If you try a password manager and find that it doesn’t offer the features you’re looking for, you can always upgrade to the paid version or export your data to another password manager.
Sign Up and Create a Master Password
After deciding which password manager to use, go to the company’s website and create an account. From here, the steps will vary a bit depending on which service you use.
One of the first things you’ll be asked to do is create a strong master password. This is one password that your password manager can’t store for you. You’ll want to make sure this password is strong because it’s the key to all of your other passwords. Because you’ll need to enter it often, it’s best to avoid random symbols and letters and use a complete sentence or series of words instead. Just make sure it’s at least 16 characters long.
You’ll need to memorize this password, but it’s also fine to write it down. A sticky note on your desktop computer saying “password manager password” is probably a bad idea if you share your office space, but jotting it down in a notebook stored somewhere safe at home is probably fine. Just make sure not to lose it because in most cases, you won’t be able to get into your password manager without it.
During setup, some password managers will prompt you to turn on multifactor authentication, and we encourage you to do so.
Install the Software and Apps
Depending on which password manager you choose, you’ll need to download browser extensions, an app for your phone, software for your computer, or some combination of these. Then you’ll need to sign in to the service in each of those spots.
If you sign up for 1Password, the service will create an Emergency Kit, which is a PDF you should print out that includes a long “secret key” along with a spot to write down your master password. To set up 1Password software on a new device, you’ll need to enter your email address, the secret key, and your 16-plus character password.
Set New Passwords
Now that you have all of the software set up, you’re finally ready to use the password manager for what it’s designed to do: Create and store log-in credentials for all your many online services.
Whenever you open the log-in window of a website, say from Netflix or your bank, you should be able to click on an icon to open your password manager. If you’ve turned off the auto-fill feature in your browser or your password manager, you can open your password manager manually using the desktop app, another browser tab, or the browser extension.
If you’re setting up a new online account, you can click on a button or two to have your password manager generate a password for that new account.But more often, it will probably be an account you’ve already set up—your email or bank account, let’s say. You can enter your existing credentials and click on a button to store them in the password manager.
But because one of the important features of a password manager is to create stronger passwords, the best plan is to log in, go to the site’s “change your password” page, and have the password manager create and store a new, much stronger password for the site.
If you’re in a browser, this is particularly easy. For phone apps, the process varies. Your password manager may be able to log in to your apps automatically, or you may need to toggle back and forth to the password manager’s app to copy and paste your new password.
Here’s an important note, whether you’re setting up passwords in an app or a website. Ideally, every new password will be at least 16 characters long, just like your master password. But some accounts have shorter length limitations and might not permit certain special symbols or characters. In that case, your password manager will just have to do the best it can.
But make sure to check the password manager’s settings afterward. I once changed my generated password requirements on 1Password to just eight characters to meet one service’s rules and then realized that 1Password now thought I wanted all my new passwords to be that short. I had to go into Settings to change it back.
Start With Your Critical Accounts
The process of switching to new, strong passwords can be tedious, and you don’t have to do it all at once. It’s smart to start with the most important accounts, like email and banking. Your priority list should also include any passwords that have been compromised in data breaches. Chances are, some of yours have been.
To find out, you can enter your email address at HaveIBeenPwned (a great site CR has covered). Or you can use your password manager itself to flag passwords that have been compromised. This type of feature goes by a variety of names. Look for the Password Health Score (Dashlane), Vault Health Report and Data Breach Report (Bitwarden), Watchtower Report (1Password), or BreachWatch (Keeper; only available with the PlusBundle).
These features will let you know if any of the passwords you created yourself, then stored in the password manager, are weak or have been used more than once.
Some password managers will also flag accounts where you still have to set up multifactor authentication codes, those six-digit codes that change every 30 seconds, which some sites ask for along with your password.You should set up MFA on any account where it’s offered.
People often get these codes by text, but that’s not the safest way to do it. It’s more secure to use an authentication app like Authy or Google Authenticator, which can generate the codes. Some password managers can generate them, too. Instead of scanning the QR code in your authentication app, you can scan it in the password manager and it will generate the six-digit code just like an app would. Then you can copy and paste it to complete your log-in.
If you get email from a service telling you that your password has been compromised, simply go back into your password manager to generate a new password and change it for that account. If you’re still in the process of setting unique passwords for each account, go ahead and change the password on any other account where you’ve used that same compromised password, too.
Store Other Vital Information
Password managers can store almost any information. If you always want remote access to some kind of data, from your passport number to a document like a power of attorney, a password manager can be a great solution. The instructions vary from one password manager to another, but you’ll generally upload the documents, choosing which vault to place them in.
You can also store information in a secure note. I keep one with a list of credit cards with the phone numbers for cancellation, plus information on the other kinds of cards, in case my wallet is lost or stolen.
Don’t Forget to Use Other Security Measures
Using a password manager isn’t the only step you need to take to stay safe online. In addition to setting strong passwords, you’ll want to take other security measures, too, such as using multifactor authentication (for your password manager and other accounts) and keeping all of your computer and phone software up to date.
Correction: A previous version of this article stated that Bitwarden’s free password manager doesn’t allow users to share password vaults. But the company does offer an additional free version that allows people to share two password vaults with one other person. This article was originally published on Feb. 28, 2022.
Yael Grauer
Yael Grauer is an investigative tech reporter covering digital privacy and security. She manages Security Planner, a free, easy-to-use guide to staying safer online. She has covered surveillance, online privacy and security, data brokers, dark patterns, clandestine trackers, security vulnerabilities, VPNs, hacking, and digital freedom for the Atlantic, Wired, Vice, The Intercept, Slate, Ars Technica, OneZero, Wirecutter, Business Insider, Popular Science, and other publications.
