Password Management Basics (Premium)

Because our online accounts hold the key to our identities, finances, and other personal information, it’s important to secure them effectively. This isn’t as onerous as you may believe, but if you’ve neglected account security for whatever reason, you do have some work to do. And even if you think you’re up-to-date with account security, chances are you’re not: Security technologies, and the products and services that implement them, are improved regularly, and it’s impossible for any individual to know for sure that every online account they maintain—including those they’ve forgotten about—is protected as much as possible.

Or is it?

When you think about the products and services you use to protect yourself online, there is perhaps none more important than a password manager. To be clear, you are almost certainly using a password manager, whether you mean to or not: You would need to explicitly prevent this behavior to do otherwise. Less clearly, you’re probably using multiple password managers, and you definitely don’t want to do that. But it’s also possible that you’re not using the right password manager. And, as important, not using your password manager to its fullest.

And that’s a lot to unpack. So let’s start with the basics.

That password managers manage passwords is obvious enough: This isn’t a clever name, it’s just descriptive. But modern password managers—good password managers—do much more than that. We’ll get to that in a moment.

A good password manager needs to balance security and convenience. This can be elusive. We all have different tolerance levels, and any solution that is too inconvenient might convince users to lower their protections to simplify the experience. This is a critical mistake: A password manager stores some of our most important personal information, but it’s also a single point of failure. It needs to be secure.

For many people—perhaps even most people—a password manager is conversely not a single point of failure because we’ve all used multiple password managers over time. And one of the biggest mistakes one can make when switching to a new password manager is to forget the old one is still out there, full of your personal information. You could properly secure multiple password managers, of course. But the simpler, more secure approach is to remove your personal data from any password manager you’ve used in the past. This can be problematic: You probably don’t even remember most of them.

That last bit is true because password managers, understandably, are promiscuous. That is, they’re everywhere. Every major web browser, every major personal computing platform on desktop or mobile, and every major online account (that’s tied to identity) provides a password manager. Ideally, this is centralized: If you use an Android phone and Google Chrome on both mobile and desktop, you’re probably using the Chrome Password Manager, as it works across all those systems. But if you’ve used multiple web browsers, multiple operating systems, and one or more standalone password managers, there’s a good chance that your personal data is all over the place, just waiting to be hacked.

Again, you almost certainly have some work to do. I do, too, if that helps. No one is perfect.

It’s not possible to anticipate all the places you’ve stored your passwords (and other information). And in some cases, going with a pure-play platform-based password manager might make sense. If you’re all-in as an Apple user, for example, the company offers an online account (Apple ID) with an associated email address and password. It offers account security features like two-factor authentication (2FA), passkeys, on-device authentication via a PIN, facial recognition (Face ID), or fingerprint recognition (Touch ID), account recovery capabilities, and more. And Apple offers a password manager called Keychain that works across all its device types and will soon be improved with a more approachable standalone Passwords app.

But most are best served by a standalone password manager, a third-party password manager. This isn’t about walled gardens or lock-in or whatever, though there’s something to that. It’s about functionality. Standalone password managers do more than the password managers that are built into web browsers and operating systems. And while this varies by product, it’s important to understand what’s out there so you can choose a solution that works for you.

What you get with any password manager

As noted, password managers help you manage your passwords. At its most basic level, that means that a password manager is essentially a database that stores account credentials. Each account it stores will include at least a username (which can be an email address) and its associated password. You can add, view, edit, and delete accounts.

You can use that information, ideally, to sign in to the underlying account. For example, a password manager in a web browser will offer up stored account information if you navigate to a website with which it is associated and will autofill that data into the appropriate fields on a form as prompted. A password manager in a smartphone will do the same in apps, which is likewise convenient.

Almost any password manager will also offer to save an account when you sign in to a website/online service or mobile app for the first time. And most password managers will likewise offer to automatically create a complex and randomly generated password for you, filling that in at the time of account creation. This capability is crucial, but many users are suspicious that they’ll somehow be locked out of an account because it’s stuck inside a password manager. But that’s silly: You’re better off not knowing the password, and you’re going to use this same password manager everywhere. You will have it on your phone, your PC, and whatever other devices you use.

Most password managers, including those built into browsers and OSes, will also offer basic security check functionality. That is, they will monitor the online accounts you’ve saved in them and provide you with advice for fixing problems. For example, they will note which passwords you’ve reused with multiple accounts so you can eliminate the duplicates. (The theory here is that if one of your accounts is compromised, hackers will try the password with your other accounts.) It will identify weak passwords. And it will offer some form of alert system so that it can inform you when it discovers that any of your account credentials have leaked online.

Password managers aren’t just about passwords. For example, most also offer payment method management and autofill for credit cards, and personal information (addresses, date of birth) management and autofill, which is obviously useful. (And Microsoft has some less useful membership and tickets management features, plus limited online order tracking.)

You don’t just deserve more, you need more

But we need more from a password manager.

A good password manager will also act as a second factor of authentication when you sign in to online accounts that support 2FA. Today, Google and Microsoft both offer standalone authenticator apps that are separate from their password managers (though Microsoft Authenticator can also access your Microsoft account-based passwords and be used for autofill on mobile). (And Apple uses a unique trusted device system for 2FA.)

A good password manager will also offer dark web monitoring in addition to the standard security check that looks for compromised accounts online. Microsoft, for example, offers this functionality to individuals through Windows Defender, a feature of paid Microsoft 365 consumer subscriptions. You don’t just get it for free with your Microsoft account.

But there’s more.

A great password manager will expand on the security check and dark web monitoring and keep track of which of your accounts could be better secured with passkeys and 2FA, and then alert you so you can make those changes. This is the bit I referenced at the beginning: While it’s impossible for any individual to know for sure that every online account they maintain is protected as much as possible, these features go a long way towards making that happen.

A great password manager will store passkeys, making them portable. This is huge: Instead of tying a passkey to a specific device, an act that requires you to manually recreate each passkey on every device you use, you can tie it to the password manager and use it everywhere. I do this with my core accounts and it’s liberating.

Finally, a great password manager will do away with passwords entirely.

That one requires a bit of explanation, I know. But the central promise of password managers, dating back to the earliest days of these products at the dawn of the web, was that they would free you from having to remember all the different passwords for all the different online accounts they managed. Instead, you would only need to know one password: The master password you used to unlock the password manager itself.

I need to be clear here. That is ridiculous.

In an age in which online accounts were literally just email addresses and passwords, it made some sense. But as we’ve transitioned into a more modern and secure era of 2FA and passkeys, using an old-school password to secure your entire life isn’t just old-fashioned and out of date, it’s insecure. It’s the opposite of what we’re trying to achieve with a password manager.

Password managers rise to this challenge in different ways. Platform-based password managers are locked behind online accounts that have long supported 2FA—and, more recently, passkeys—and they’re used on devices that have built-in biometric security that adds another layer of protection. You sign in to Window securely with Windows Hello by proving that you’re you, and it unlocks your Microsoft account and the passwords stored within. Apple and Google use similar systems.

And that’s fine. But those accounts still have passwords. And when you use most third-party password managers, the first thing you do is create a master password. You can then protect that account with 2FA, perhaps using an authenticator app, perhaps using a passkey or even a physical security key. Maybe you configure multiple 2FA methods. But there’s still a password.

All the major password managers are right now racing to implement passwordless systems in which they do not require or even offer a password. The first to get there (in non-beta) was Dashlane, which is why I switched to this solution this past February. But that’s only part of the reason. In addition to this modern approach to securing itself, Dashlane also offers all the features I note above: It can store 2FA codes and passkeys. It offers dark web monitoring. It works everywhere, mobile and desktop. It tells me when an account it’s storing on my behalf can be better protected with 2FA or/and passkeys. It does it all.

That said, I’m aware that the most highly recommended password managers, 1Password and Bitwarden, do now or will soon offer passwordless accounts to customers. I’ve used both—I used Bitwarden for the better part of a year before moving to Dashlane—and they do both work quite well. I’ve also been testing Proton Pass for the past month or so, as I’m increasingly impressed by this security- and privacy-first company and its growing stable of products and services.

I like Proton Pass quite a bit. The Proton account it requires has a password, of course, but it’s protected with 2FA via an authenticator app. It’s a bit more seamless than Dashlane in use, which matters, as I don’t have to constantly reauthenticate with the password manager as I do with Dashlane. And it offers most of the other good and great additional features noted above: It monitors for accounts that could be configured for 2FA, but not for passkeys specifically. And it has some additional account protections that are interesting.

Any of these would be better than using a built-in password manager. But again, this isn’t just about switching, which is easy—all password managers support standard import/export capabilities—it’s also about not leaving your old password manager out there, hanging in the wind. That is, once you successfully switch, you need to delete all the passwords from your previous password manager. All your previous password managers. And it’s likely you won’t. Or that you’ll forget some.

Just deleting passwords can feel a bit dangerous in a what-if sense. There are various ways to securely backup private data like this, but one approach is to use the Private Vault feature in OneDrive. It’s accessible directly in Windows, and it provides another place you can copy that exported passwords file you made. That’s a better choice than leaving it in an old password manager: After all, you’ve properly secured your Microsoft account, right?

Right.

Think about it

It’s important to look at this from a day-to-day perspective. You secure your online identities—your Microsoft account, Google account, Apple ID, whatever else—properly. You sign in to your PCs, Macs, iPhones, iPads, Android devices, and whatever else using those accounts, and you do so securely, using whatever hardware-backed biometric authentication methods each provides. (If you have to use a PIN, you use a different PIN on every device.) And then you use a third-party password manager everywhere, not just to manage your passwords, but to better secure all your online accounts by ensuring that each has a strong and unique password, 2FA and/or a passkey as available, and isn’t being spread around the Internet like an STD. And that password manager is likewise locked down, using whatever methods its makers provide. Circle of life, baby.

I’m looking into whether it makes sense to document this entire process from beginning to end. But if you’re reading this site, I feel like you got this. The biggest issue, I think, isn’t doing the right thing per se, it’s doing all the right things everywhere. The right password manager is what makes that possible in the first place.

And the right password manager, whatever that means to you, is not the one built into your web browser. It just isn’t.