A password manager solves one specific problem: it lets you use a different, long password for every account without memorizing all of them. It does not remove the need for account recovery, multi-factor authentication, updates, or good judgment. A careless setup can replace dozens of weak passwords with one fragile point of failure.
The goal is not to find a magical app. It is to build a small recovery system that you understand before moving important accounts.
Choose by recovery and portability
Start with products that publish clear security documentation, support your devices, receive regular updates, and let you export your data in a documented format. Decide whether you need family sharing, business administration, offline access, passkeys, or a self-hosted option. More features are not automatically better.
Read what happens when you forget the master password. Some services cannot recover it. Others offer account recovery through a trusted person or organization. Understand which option weakens security and which one merely restores access through a separate encrypted mechanism.
Check how the service handles a stolen device, a changed phone number, and the loss of every signed-in session. A good choice is one whose recovery process you can rehearse, not one with the longest feature list.
Create a master passphrase
The master password protects the vault, so it must be unique and not reused anywhere. A long passphrase made from several unrelated words is easier to type and remember than a short composition of substitutions. NIST’s current guidance emphasizes length, permits spaces, and discourages arbitrary composition rules and routine forced changes.
Do not base the phrase on a quote, address, birthday, or pattern visible on social media. Do not store it in the same digital vault as the only copy. Write one recovery copy by hand and keep it in a physically secure location. If another person must be able to recover family or business records, document that arrangement explicitly.
Type the phrase several times before importing anything. Lock the vault and sign in again on a second device. A password remembered only through one browser’s autofill has not been learned.
Turn on a strong second factor
Enable multi-factor authentication for the manager account. A hardware security key or passkey provides phishing resistance when supported. An authenticator app is still generally better than relying only on SMS. Save recovery codes outside the vault and away from the device that holds the second factor.
Do not put the vault’s only MFA recovery code inside the locked vault. That creates a circular recovery plan. A printed emergency sheet can contain the service URL, account email, recovery code location, and instructions without listing every password.
Move accounts in stages
Importing a browser file is convenient, but it can bring duplicates, old logins, and passwords saved for the wrong domain. Start with a small batch: primary email, financial accounts, cloud storage, social accounts, and the domain registrar. Change reused passwords rather than merely storing them.
For each important account:
- Open the site from a known bookmark or typed address.
- Generate a unique random password.
- Save it with a clear name and correct URL.
- Enable MFA or a passkey where available.
- Record the account’s own recovery codes.
- Sign out and test a fresh sign-in before moving on.
Your email account deserves priority because it can reset many other accounts. Protect it with a strong second factor and verify its recovery address and phone number.
Clean up the old copies
After confirming the vault works across devices, remove exported CSV files and empty the recycle bin. A CSV export is normally unencrypted. Do not leave it in Downloads, email, or a synchronized desktop folder.
Decide whether to keep browser password saving enabled. Running two stores can create confusion about which copy is current. If the manager’s extension fills credentials reliably, disable new saving in the browser and remove old entries after you have tested the import.
Use the manager’s security report as a queue, not as a score to chase. Fix reused and compromised passwords first. Old accounts you no longer use should be closed when practical.
Prepare an emergency kit
An emergency kit is a short recovery document stored securely. It can include:
- the name and official URL of the password manager;
- the account email;
- the master passphrase or the location of its sealed copy;
- MFA recovery codes or their location;
- instructions for a trusted person;
- the date the recovery process was last tested.
Keep the kit away from casual access and do not photograph it into an automatically synchronized gallery. For a business, use an approved organizational recovery process rather than depending on one employee’s private vault.
Test the scenario you are afraid of
Once or twice a year, test recovery without destroying the working setup. Confirm that you can sign in on a new browser, locate recovery codes, and access your primary email. Check that a trusted person can follow the written instructions without knowing informal details.
Also review devices and active sessions. Remove old phones and computers. Update the manager, browser, and operating system. A secure vault on an unsupported device is not a secure system.
What a password manager does not solve
It cannot protect you if you approve a malicious MFA prompt, paste credentials into a fake site, or hand an unlocked device to someone. Autofill can reduce phishing risk by refusing to fill on the wrong domain, but always check the address before entering the master password.
Do not store plaintext recovery answers, API keys, and client secrets without considering who has access to shared folders. Separate personal, family, and work collections. Use the least sharing needed.
Passkeys can reduce dependence on passwords for supported services, but a manager is still useful for legacy accounts and for organizing recovery. Read our explanation of how passkeys work before changing your most important accounts.
A dependable password manager setup is boring: one memorable master passphrase, a second factor, tested recovery, clean devices, and unique credentials. That is exactly why it works.

Join the conversation
Stay on topic and respect other readers. Your first comment may appear after editorial review.