That changed when an online store I'd used twice three years earlier sent me an email saying my account credentials had been exposed in a breach. The store itself was fine. The problem was that I used the same password there as I used for my email—and my bank.
After about forty very uncomfortable minutes changing passwords on eighteen different sites, I decided I was done doing this manually.
What actually convinced me
The thing that finally pushed me was realizing that "remember a strong password for each site" is not a realistic strategy. Human memory doesn't work that way. We remember patterns, and patterns are exactly what attackers look for.
I'd been telling myself I had a system: take a base password, add a few characters from the site's name. Turns out this is a well-known pattern that credential stuffing attacks are specifically designed to exploit. It felt clever and wasn't.
A password manager doesn't ask you to remember anything except one master password. It generates a random, unique password for every site—something like Kp8#mQzL2vN!xR—and stores it encrypted. You never have to remember or even see most of your passwords.
The common objections (and whether they hold up)
"What if the password manager gets hacked?" This is the first thing most people ask, and it's a fair question. The short answer is: the reputable ones don't store your master password, and all your passwords are encrypted before they leave your device. Even if someone stole the encrypted files, they'd need your master password to decrypt them. Your actual secrets are protected by math, not just by trusting a company.
Bitwarden, which is the one I use and which is open source, has had independent security audits. You can read the results. That kind of transparency is unusual and worth something.
"It sounds complicated." The setup takes maybe twenty minutes. You install the browser extension, create a master password, and the next time you log into any site you tell it to save the credentials. It autofills from that point on. That's most of the interaction you'll ever have with it.
"What if I forget my master password?" This is the real risk worth thinking about. Most managers offer account recovery options: a recovery code you print out and store somewhere physical, or account recovery via a trusted contact. The solution is to choose a master password you'll actually remember—a passphrase works well here, something like four or five random words. It's longer than a typical password, which makes it harder to crack, but it's also far easier for a human to remember.
Which one to use
I'm not going to pretend there's one right answer, but I can tell you what I found when I looked into this properly.
Bitwarden is free for individual use, open source, and has been independently audited. If you want to spend zero money and don't need anything fancy, start here. The interface isn't as polished as the paid options, but it does everything you need.
1Password costs about three dollars a month and is noticeably more refined. The travel mode feature—which hides certain vaults when you cross borders—is useful if you travel frequently to countries with aggressive device inspection practices. The family sharing is also well-implemented if you're trying to get your household on the same system.
KeePassXC is the option if you don't want to trust any cloud service. Your passwords live in an encrypted file on your own hardware. You sync it yourself (via a USB drive, a self-hosted server, or whatever you like). It requires more setup, but nothing leaves your machine unless you put it there.
For most people: install Bitwarden, spend twenty minutes migrating your most important passwords, and get on with your life. The perfect can wait. Done is better than perfect here.
The first passwords to migrate
When I first set up my manager, I didn't try to import everything at once. I started with the accounts that would cause the most damage if they were breached:
Your email account is the most critical one. If an attacker gets into your email, they can use the "forgot password" flow to get into almost everything else. Change this to a strong, unique password first, and enable two-factor authentication on top of it.
Your bank and any financial services are next. Then your primary social media accounts, because those identities are hard to recover if they're taken. Then anything else you use regularly.
Don't try to do all 200 accounts in one afternoon. You'll burn out. Do the critical ten or fifteen, and then migrate others gradually as you log into them naturally over the following weeks.
One more thing: the password generator
Password managers include a built-in generator, but if you want to create a strong password before setting one up, a good standalone generator handles this well. Our free password generator lets you set the length, choose which character types to include, and will create something genuinely random. Put that into your manager and you're done.
The underlying advice is the same regardless of how you generate passwords: unique, random, long. A password manager just makes that feasible to actually do for all your accounts rather than just the ones you remember to worry about.
After two months of using one
It genuinely makes my computer life less annoying. I don't have to think about passwords anymore. I get a notification when a service I use has been involved in a data breach and I can change just that one password immediately instead of going through the panicked math of "have I used this password anywhere else?"
I'm slightly embarrassed it took me this long. But I'm also skeptical of advice that makes changing behavior sound easy, so I understand the resistance. The actual setup is genuinely not difficult, and the ongoing experience is better—not worse—than managing passwords manually. That's the honest version of this recommendation.
If you're still reusing passwords and haven't made the switch, pick a manager today. Even if it takes you a few weeks to migrate everything, starting costs nothing.