Password Managers Are Boring (And That's Why They Win)
If you do exactly one thing on this site, do this one. Adopting a password manager — properly, with a strong master passphrase and a hardware-backed second factor — closes off the single largest class of account compromises that exist on the internet today. It is unglamorous, requires one afternoon, and outperforms every flashier privacy intervention you might consider.
Why this is the highest-leverage move
Look at the public breach data on Have I Been Pwned. As of early 2026, HIBP has indexed over 14 billion compromised credentials across thousands of breaches. The mechanism by which most people lose their accounts isn't sophisticated — it is credential stuffing: an attacker takes a username and password from a 2017 LinkedIn dump and tries it on Gmail, Coinbase, your bank, and 200 other services. Every account where you reused that password falls in seconds.
Password managers solve credential stuffing structurally. Every site gets a unique, random password. The 2017 LinkedIn dump is now harmless. You don't need to remember a single one of them. You need to remember exactly one strong passphrase.
The trust model, made honest
The objection people raise — "but now they're all in one place" — deserves a real answer. Yes, the vault is a single high-value target. But:
- The vault is encrypted with your master passphrase before it ever leaves your device. The provider's servers store an encrypted blob they cannot decrypt.
- Modern managers use memory-hard KDFs (Argon2id, scrypt, or in worst case PBKDF2 at 600k+ iterations) that make brute force economically prohibitive against any halfway-decent passphrase.
- The blob's compromise (e.g. the 2022 LastPass incident) is a partial-disclosure event, not a key-disclosure event. Users with strong master passphrases were unharmed. Users with master passwords like
Tiger123!got drained.
The architecture is sound. The risk that remains is operator-side: bad UX, weak defaults, sloppy iteration counts, or — as in the LastPass case — sloppy operations. So choose carefully, but choose.
The shortlist
| Manager | Model | KDF default | Notes |
|---|---|---|---|
| 1Password | Cloud SaaS | PBKDF2-HMAC-SHA256, 650k | Adds a Secret Key layer (extra 128 bits of randomness on top of master pw). Best UX. |
| Bitwarden | Cloud SaaS or self-host | PBKDF2 600k or Argon2id | Open-source. Free tier is genuinely usable. Self-host as Vaultwarden. |
| KeePassXC + sync | Local file | Argon2id, configurable | You manage the .kdbx and sync it (Syncthing, etc.). Power-user choice. |
| Apple Passwords | iCloud Keychain | Per-record + iCloud key | Excellent within Apple ecosystem; weak on cross-platform. |
| Proton Pass | Cloud SaaS | Argon2id | Newer; integrates with Proton's email aliases. |
The wrong choice is almost any browser's built-in "save password" feature used as your only system. They have no separate master password (your OS login becomes the master), no audit log, and no portability across browsers. They are fine as a UX layer over a real manager; they are not the system itself.
The master passphrase
This is the one password you have to remember. Get it right and the rest of the system has years of headroom. Get it wrong and an offline brute force will eventually open the vault.
Don't use a "password" — use a passphrase. Five to seven random words from a wordlist, generated by a tool, not chosen by your brain. The classic example is EFF's diceware list:
$ shuf -n 6 eff_large_wordlist.txt
correct
horse
battery
staple
neutron
lichenSix diceware words from the EFF large list provide ~77 bits of entropy. At realistic GPU brute-force rates against PBKDF2-600k, that's measured in millions of years. Seven words gives ~90 bits and is unbreakable in any meaningful sense. Five is borderline; pick six.
The second factor that actually matters
Your master passphrase is your first factor. The second factor on your password manager itself is what defends against the case where someone steals an encrypted backup of your vault and grinds against the master.
- SMS 2FA: do not use. SIM-swap attacks are routine. AT&T and T-Mobile have both leaked employee tools that allowed crews to swap SIMs in minutes. SMS 2FA on your password manager is worse than no 2FA in some ways because it gives a false sense of security.
- TOTP (Google Authenticator, Aegis, 2FAS): acceptable. Vulnerable to phishing — a fake login page can capture and replay the code in real time. Better than nothing, much better than SMS.
- Hardware security keys (YubiKey, Titan, Solo): the right answer. WebAuthn / FIDO2 keys cannot be phished. The cryptographic challenge is bound to the real domain. Even a perfect lookalike site will fail to authenticate because the browser refuses to sign for the wrong origin.
Two YubiKeys, one in your wallet and one in a fireproof safe at home, registered as second factors on your password manager and on every recovery email account, is the practical floor for anyone with anything to lose. They cost about $50 each.
What to do after install day
- Day 1 — install and import. Most managers can import from your browser's saved passwords. Do this. Don't worry about cleanup yet.
- Day 1 — set master passphrase to six diceware words. Write them down on paper. Put the paper somewhere safe (a home safe, a sealed envelope at a relative's house — not a desk drawer, not a Google Doc).
- Day 2 — fix your most important accounts first. Email, then bank, then password-manager itself, then two or three other high-value services. New password for each, generated at 20+ characters.
- Day 2 — enable a hardware key on your email account and on the password manager. Register two keys. Delete SMS 2FA from these accounts.
- Week 1 — work the rest of the list opportunistically. Every time you log into something, rotate that one. Don't try to do all 300 in a weekend; you'll burn out and stop.
- Month 1 — turn on the breach-monitoring feature. 1Password Watchtower, Bitwarden Reports, etc. They'll flag accounts that show up in new breaches.
- Quarterly — restore-test. Pretend you've lost your phone. Can you sign in to your manager from a fresh device using only the master passphrase and a hardware key? If not, fix the gap before you actually need it.
The advanced moves
Email aliases
The deeper version of "unique password per site" is "unique email per site." Services like SimpleLogin (Proton), addy.io, Apple's Hide My Email, and Firefox Relay generate a per-site forwarding alias. When the inevitable breach happens, you know exactly which service leaked, and you can disable the alias to kill spam. Bitwarden and 1Password both integrate alias generation directly into the new-login flow.
Passkeys
Passkeys are the next-generation replacement for passwords entirely — a public-key credential synced via your password manager (1Password, Apple Keychain, Bitwarden). They are inherently phish-resistant, like hardware keys, but easier to use because they sync to the devices you already have. Where a service offers a passkey, prefer it over a password. Coverage is improving fast: Google, Apple, Amazon, GitHub, Microsoft, and most large banks support them as of 2026.
The emergency kit
Every password manager has a "what if I die" workflow:
- 1Password's Emergency Kit PDF — printable, contains your Secret Key and a place to write your master.
- Bitwarden's emergency access feature — designate a trusted contact who can request access after a wait period.
- KeePassXC — a copy of the database file plus the master passphrase in your safe deposit box.
This isn't morbid; it's responsible. Without a recovery path, your vault is the same as the keys in your pocket: useful only as long as you're around.
The final point
Privacy is loud and password management is quiet. The loud part gets the headlines; the quiet part is what stops you from being a statistic. Pick a manager today. The argument about which one is best matters less than the fact that you're using one.