PasswordCrunch.com
Tools & Setup · 7 min read

How to Choose a Password Manager: What Actually Matters

There are dozens of password managers and the marketing around them can make them all sound identical. This guide cuts to what actually matters from a security and practical standpoint — so you can pick one and get on with using it, rather than spending weeks comparing features.

Why any password manager beats none

Before getting into which one to choose: using any reputable password manager is dramatically better than not using one. The alternative — memorising passwords, writing them down or reusing them — exposes you to predictable, well-understood attacks. Password managers exist specifically to make good security behaviour easy rather than effortful.

If you are currently using no manager at all, the right answer is to pick one of the established options today and set it up. Spending weeks comparing every feature is a form of procrastination that leaves you exposed in the meantime. Get started; you can always switch later.

What actually matters when choosing

Zero-knowledge architecture

The provider should never be able to read your passwords. Your vault should be encrypted locally using your master password before it ever touches their servers. This means even if the company is breached, your passwords are safe. Look for this as an explicit claim in their security documentation.

Strong, audited encryption

AES-256 is the standard encryption algorithm used by reputable managers. More important than the algorithm is whether the implementation has been independently audited by security researchers and whether those audit reports are published. A manager that accepts external audits and publishes results is more trustworthy than one that only claims to be secure.

Open source code (preferred)

Open source managers allow anyone to audit the code, not just the company's chosen auditors. Security claims made about closed-source software cannot be independently verified. This is not an absolute requirement — several well-regarded managers are closed source — but open source is a meaningful trust advantage.

Cross-device sync and browser extension

If the manager does not work well on every device and browser you use, you will stop using it. Check that it supports your operating systems and browsers before committing, especially if you use a mix of Apple and non-Apple devices.

Transparency about past incidents

Several major password managers have experienced security incidents. What matters is how they handled them: did they disclose promptly, communicate clearly and take appropriate remediation steps? A company's response to an incident tells you more about their security culture than the incident itself.

The main options compared

Bitwarden

Free · Open source

The strongest case for most users. Fully open source (code is on GitHub and audited), zero-knowledge encryption, free tier covers unlimited passwords across unlimited devices. Premium plan (around NZD $15/year) adds advanced 2FA options and emergency access. Self-hosting available for those who want full data control. The combination of transparency, price and features is hard to beat.

1Password

Paid · Closed source

Consistently rated highly for user experience across every platform. Unique "Secret Key" system adds an additional layer of protection. Includes Travel Mode (hide sensitive vaults when crossing borders), strong family plans and excellent business features. Around NZD $5–6/month for personal. Closed source but has published independent security audits. Recommended if you prioritise polish and are happy to pay.

Dashlane

Paid · Closed source

Includes a built-in VPN and live dark web monitoring as part of the subscription. Good autofill and browser integration. Higher price point than alternatives (around NZD $8–10/month) but bundles more features. The VPN alone may be worth the price to some users. Has had a positive security track record.

Browser built-in (Chrome, Safari, Firefox)

Free · Limited

Better than nothing, and fine for users who only use one browser and one device. Weaknesses include limited cross-platform portability (Chrome passwords do not always sync well to non-Google apps), weaker password generation than dedicated managers and less control over security settings. Worth using as a starting point, but migrating to a dedicated manager is worthwhile once you see the benefits.

What to avoid

Be cautious of newer, less established managers without a clear security track record or published audits. The promise of extra features can be attractive, but your password vault is not the place to try untested software. Stick with managers that have been around for several years, have been externally audited and have a community of users who can corroborate their claims.

Also avoid any manager that cannot clearly explain their encryption model or who stores your master password on their servers. If the service can reset your master password without you proving you know the old one, your vault is not truly zero-knowledge.

Getting the most out of whichever you choose

The manager is only as useful as the habits you pair with it. Generate a unique random password for every account — do not let the manager autofill a password you invented years ago. Audit the weak passwords report regularly (most managers flag reused or short passwords). And enable 2FA on the manager itself; it is the single most valuable account to protect with a second factor.

Ready to start

Generate a strong master password passphrase

Your password manager master credential needs to be both secure and memorable. A 5-word passphrase is the right choice — strong enough to protect your entire vault and something you can actually recall.

Passphrase Generator Bulk Password Generator

Product details and pricing are accurate at time of writing and subject to change. This article does not constitute a paid endorsement of any product. Verify current features and pricing directly with each provider.