The Password Manager Argument Is Over. Here's the One to Use.

I've been recommending password managers to people since 2014 and the conversation has barely changed. People still say "I have a system" (they don't have a system, they have a handful of variations on the same password) or "I don't trust storing passwords in an app" (they trust the same passwords across 40 different services, which is objectively more dangerous).

The security argument for password managers is settled. Using unique, long, random passwords for every service — which is only practical with a password manager — is one of the highest-impact security improvements any individual can make. The question isn't "should I use one?" The question is "which one?"

The One I Actually Recommend: Bitwarden

I've used 1Password, LastPass, Dashlane, and Bitwarden over the years. My current recommendation without qualification is Bitwarden, for three reasons:

It's open source. The code is publicly auditable and has been independently audited by security firms. You don't have to trust Bitwarden's claims about their security — you can read the implementation.

It's free for personal use. The free tier covers everything you actually need. I pay for the $10/year premium tier for the advanced 2FA features and vault health reports, but you can use Bitwarden effectively for nothing.

It works everywhere. Browser extensions for all major browsers, apps for iOS and Android, a desktop app, and a command-line tool. Whatever your workflow, it fits.

For Teams and Businesses: 1Password

1Password's team and business features are genuinely better than Bitwarden's for organizational use. The sharing controls, the vault management, the business admin tools — they've put more thought into the team workflow. It costs more but the team features justify it at organizational scale.

The Thing Most People Get Wrong When Setting Up a Password Manager

They migrate their existing weak passwords and call it done. This is a mistake. The point isn't just to store your existing passwords — it's to replace every reused and weak password with a unique randomly-generated one.

The process: after setting up the manager, go through your saved logins in order of importance (email first, then banking, then social accounts, then everything else). For each one, use the password manager's generator to create a new 20+ character random password and save it. This takes a few hours to do thoroughly and makes a massive difference.

The Master Password Question

Your password manager master password is the one password you need to genuinely memorise. Make it a passphrase — four to six random words strung together, like "correct-horse-battery-staple" but with your own words. It's longer than a typical password (more secure) but far easier to remember. Don't make it a sentence that makes grammatical sense or references anything personal. Random is better.