Yes, I'm here to tell you with a straight face that I've never used a password manager before. It's not like I've never considered signing up for one. I keep getting lured into trying different options, but a part of me always feels itchy putting all the eggs in one basket, especially when data breaches constantly remind us how that might be a bad idea. I know I am not alone on this boat because, well, old habits die hard. I figured I'd be "safer" if I remembered my passwords or wrote them down somewhere. But with a growing list of online accounts, I'm finally struggling to create unique and strong passwords for each one. So my 2023 tech resolution was to give password managers a shot, so here we are.

Choosing a good password manager can be tricky, and the sheer number of options out there doesn't make it any easier. I've learned quite a bit during my journey, and I hope these tips can help you on yours, too.

Look for the features you want

Most password managers do much more than just fill in your passwords on a sign-in form. Keeper, for example, is a super feature-rich password manager that can also store your credit card information, lock files and photos in a secure vault, help you share your passwords, and much more. 1Password also comes with many bells and whistles, and it can perform additional tasks such as removing secrets from your clipboard and alerting you about security breaches.

1Password app is free to download and comes with a 14 day trial. For continued usage, you'll need to buy a subscription.
1Password

It's important to understand what you want from your password manager unless you want to take the never-ending trail filled with options. After all, there's no point in paying a premium for all the extras if you're not going to use them. You may already have a secure folder on your smartphone to lock down important files and photos, or you don't need to pay for novelties like Dark Web Monitoring and alerts. Instead, look for useful features that matter to you.

Here are important features I recommend looking for instead:

  • Cross-platform support to access and manage your saved passwords across any device or platform
  • Multi-factor authentication to secure your password vault
  • Offline access to ensure you keep your password even when you're not online
  • Browser extension support to ensure you can access your password regardless of the web browser you use

For example, I was looking for a password manager to help me avoid re-using the same passwords on different accounts. I reached a point where I was starting to reuse some of my passwords, thereby leaving the door open for bad actors to break into multiple accounts. Long story short, I prioritized a simple and secure password generator over one with fancy features to avoid spending anything more than I wanted as a new customer. Your mileage may vary, though.

'Zero-knowledge' encryption is important

Most password managers also use secure encryption like AES 256-bit and XChaCha20 to lock your password before they leave your device. So even if you use a password manager service that saves your password in a remote server, it may not be immediately accessible to the hackers who try to steal it. All the reliable password managers out there use complex encryption techniques to secure your vault, so you won't be in the dark when handing over important information.

An illustration to explain the NordPass Zero Knowledge encryption method.

Bitwarden, for instance, uses AES-CBC 256-bit encryption for your vault data and PBKDF2 SHA-256 to derive your encryption key. All your data is encrypted or hashed before it's sent to the remote servers, and it can only be decrypted with the key derived from your master password. NordPass, on the other hand, uses XChaCha20, which is faster and easier to implement than standard methods.

I recommend picking only ones that use a zero-knowledge encryption solution, meaning they can't read or share your sensitive information. Of course, there's no way to stay 100% safe online, but it helps if you cover the basics.

Pick password managers with secure backups

It's also important to pick password managers that let you create a backup of all your encrypted passwords just in case the remote server containing all your passwords comes crashing down. Some password managers create a backup of the encrypted password, while others simply allow you to create a backup of decrypted data in a human-readable format. Either way, it's important to create a backup in case you end up losing access to your vault due to some server error and find yourself in a situation where you can no longer access your accounts online.

lastpass authenticator

Looking at the recent LastPass mishap and how it handled the situation, I know I'm never leaving a backup of my passwords online, even if it's encrypted. You can always create a manual backup and offload a copy of all your passwords, but make sure you're moving and storing it safely to prevent it from falling into the wrong hands.

Check for biometrics and other ways to log in

Multi-factor authentication (MFA), as I mentioned earlier, is one of the most important features to look for in a password manager. You should look to combine a strong password with two-factor authentication (2FA) or even biometric authentication, such as fingerprint or face scan. Biometric protection usually acts as an additional layer, so you will still be required to use your master password and any enabled two-step login. There's no such thing as too many layers of security, especially when just one password/key can unlock a vault full of sensitive data.

Using the fingerprint sensor on the Pixel 6a

It's also worth noting that setting up MFA or biometric authentication is not ​​​​​​an alternative to your master password. You'll still need the main key to decrypt the vault data before accessing them after getting through additional layers. Technically, you'll only need to enter the master password once for each device since the vault data from the server is then automatically downloaded and stored locally. This also brings me to my next — and probably most important — point.

Don't forget your master password!

Almost all modern password managers operate with zero-knowledge encryption, so they can't read or retrieve your master password. Some of them offer you tools to recover the password in case you forget it, but you can't really use them unless you've pre-authorized those options. Some of these options include:

  • A password hint: Your password manager will send you the password hint (if you have one set up) via email.
  • Access using emergency contact: Provided you have the emergency access option enabled on your account, you can contact your emergency contact to regain access to your vault.
  • Admin password reset: Those with an enterprise account can reach out to their admins to reset and regain access to their accounts.

The recovery options mentioned above will only work if you've authorized them previously. Some password managers like Dashlane also let you retrieve your master password using biometric authentication, but even that will work only if you've enabled it before forgetting the master password.

All modern password managers operate with zero-knowledge encryption, so they can't read or retrieve your master password.

If none of these options get you access, then you have no option but to delete your account and start a new one. That also means you'll lose the items stored in your vault, so you'll have to reset your login information for each account.

Getting started a beginner

I was just as overwhelmed as you probably are right now after reading through everything. If you're not comfortable setting up a password manager for all your accounts, then why not start using it for some basic or casual accounts? You know, the ones that you may have created to check out a free trial or read an article behind a paywall.

I also recommend testing the waters with free password managers before committing to a premium subscription. As someone fairly new to the world of password managers, I've started using Bitwarden to familiarize myself with low-risk accounts. Bitwarden comes with all the essentials and doesn't lock anything important under a paywall. It's also completely open-source, meaning you can review, audit, and contribute to Bitwarden's code on GitHub.

A screenshot showing Bitwarden's GitHub repository.

I also find peace knowing that I can ignore Bitwarden's cloud storage and the host's entire infrastructure stack on the platform of my choice. Again, it comes down to the features you want, so be sure to look around for different options and select the one you think works best for your use case. You can always check out our collection of the best password managers once you know the ins and outs and are ready to jump in.