PasswordCrunch.com
Password Security · 7 min read

How Password Managers Work (And Which One Should You Use?)

A password manager solves the fundamental problem with good password hygiene: you cannot memorise 100 unique, strong passwords. Here is how they actually protect your credentials, what happens if the service gets hacked and how to choose the right one for your situation.

The core problem they solve

Proper password security requires a different, strong, randomly generated password for every account you have. For the average person managing 80 to 100 online accounts, that is simply not possible to do from memory. The result is that most people either reuse passwords across sites, use weak but memorable variations or do both. Either choice leaves them vulnerable.

A password manager breaks this trade-off. You only need to remember one thing — the master password — and the manager handles everything else: storing credentials, filling them in automatically and generating new random passwords when you create an account.

How they encrypt your credentials

When you save a password to a manager, it is encrypted before it leaves your device (or before it is stored locally). The encryption key is derived from your master password using a key derivation function — an algorithm designed to be computationally expensive to reverse. The most common standard used today is PBKDF2 or Argon2.

This means that even if a password manager's servers were breached — which has happened — attackers would get an encrypted blob, not your actual credentials. To decrypt it, they would need your master password. If your master password is strong, the encrypted data is effectively useless to them.

This architecture is often called "zero-knowledge" — the service provider cannot read your passwords because they never have the key to decrypt them. Your master password stays on your device; only the encrypted vault is synced to the cloud.

What to look for in a password manager

The most important factors when choosing one are the encryption standard used, whether the code is open source (allowing independent security audits), cross-device sync support and whether there is a credible security track record. Here are three well-regarded options:

Free / Open source

Bitwarden

Open source code that anyone can audit. Free tier covers all core features across unlimited devices. Strong security track record. Self-hosting option available for those who want full control. A solid first choice for most people.

Paid

1Password

Polished apps across every platform. Includes a travel mode to hide sensitive vaults at border crossings. Family and business plans available. Consistently top-rated for usability. Around NZD $5–6 per month for a personal subscription.

Paid

Dashlane

Includes a built-in VPN and dark web monitoring to alert you if your credentials appear in known breaches. Good browser integration. Slightly higher price point but includes more bundled features.

Your browser's built-in manager (Chrome, Safari, Firefox) is better than nothing but generally offers fewer security controls, weaker password generation and limited cross-platform portability. If you are already using one, it is worth migrating to a dedicated app.

Choosing your master password

The master password is the one credential you cannot store anywhere — you have to actually remember it. This makes it the perfect candidate for a passphrase rather than a random character string.

A passphrase of four or five randomly chosen words — something like marble.thunder.falcon.kettle.27 — has roughly 64 bits of entropy, which is strong enough to protect a password vault. More importantly, it is something a human brain can actually retain through repetition. You type it several times a day, and within a week or two it becomes muscle memory.

What you should not use for a master password: a variation of a password you already use elsewhere, your name or any personal information, a single word (even obscure ones), or anything short. If your master password is compromised, everything in the vault is at risk.

Getting started in under 15 minutes

  1. Download Bitwarden (free) or sign up for your preferred manager
  2. Generate a strong passphrase to use as your master password
  3. Install the browser extension — this is what enables autofill
  4. Log into your most important accounts and save the credentials when prompted
  5. For each saved account, generate a new random password and update it
  6. Enable two-factor authentication on the manager itself

You do not need to migrate every account at once. Start with the high-value ones — email, banking, social media — and add others over time as you log in to them.

Try it now

Generate a memorable master password passphrase

Four or five random words, separated by a symbol, is strong enough for a password vault and easy enough to actually remember. Generate one here.

Open Passphrase Generator

This article reflects the state of password manager technology at time of writing. Always check current security advisories for any service you use. This is not financial or professional security advice.