Password Managers: The Case for a Different Password on Every Account
Most people know they’re not supposed to reuse passwords. Most people do it anyway, because remembering dozens of distinct passwords is genuinely difficult. A password manager solves that problem — but only if you actually use one.
Why reusing passwords is dangerous
When a site gets breached, the stolen credentials don’t stay in a drawer. Attackers run automated software that tests those email-and-password combinations against hundreds of other services — banks, email providers, payroll platforms, shopping accounts — within hours. This is called credential stuffing, and it works because the majority of people use the same password in multiple places.
You don’t have to be the target of a direct attack. You just have to be in a database that gets sold. And those databases are large. Breaches regularly expose tens of millions of credentials at a time.
If your password at a breached site matches your password anywhere else, the attacker gets both accounts. If that second account happens to be your email, they can reset their way into everything else — your bank, your work systems, your cloud storage — using the “forgot my password” link you’ve probably clicked yourself.
We covered the mechanics of this in detail in Unique Emails, Unique Passwords: Your Best Defense Against Data Breaches. The short version: credential stuffing is automated, it’s fast, and the only thing that stops it is making sure none of your passwords appear in more than one place.
What a password manager does
A password manager stores your credentials in an encrypted vault. The only password you need to memorize is the master password that unlocks the vault. The manager generates strong passwords, saves them, and fills them in automatically when you visit a site.
A password generated by a manager looks something like kR8mP2wLnqX5v#@j. You’ll never type it. You don’t need to remember it. The manager fills it in for you.
This is the core trade-off: instead of remembering a different password for every account, you remember one.
Choosing a password manager
Several good options exist. The best one depends on what devices you use and whether you want to pay for software.
Apple Passwords is built into iOS, iPadOS, and macOS. If you use Apple devices, you already have a capable password manager installed — no additional software required. It syncs across your devices through iCloud, generates strong passwords, stores passkeys, and handles one-time verification codes. Most Apple users don’t know it’s there.
1Password is a cross-platform option used by many security professionals. It runs on Apple, Windows, Android, and Linux, and has polished browser extensions. It’s a paid subscription.
Bitwarden is open-source, cross-platform, and free for personal use. Because the source code is public, independent security researchers can — and do — audit it. If you prefer not to pay for software, Bitwarden is the strongest free option.
ProtonPass comes from the team behind ProtonMail. It integrates with Proton’s privacy-focused ecosystem and is a solid choice if you’re already using Proton services.
Avoid using your browser’s built-in password saving as your primary system. Browser password storage is better than nothing, but it lacks the security controls of a dedicated manager, doesn’t travel across browsers, and offers no way to audit weak or reused passwords across your accounts.
The master password
The master password is the one credential you cannot afford to lose — and cannot afford to have compromised.
Make it long. A passphrase of four or five random words is far stronger than a shorter string with symbols. Something like marble-frozen-doorstep-umbrella-cloud is both memorable and extremely difficult to brute-force. Length matters more than complexity.
Keep it unique. Your master password should not appear anywhere else. Ever.
Don’t store it carelessly. If you write it down as a backup — which is reasonable — store that paper somewhere physically secure. A safe or lockbox, not your desk drawer.
Set up account recovery before you need it. Most password managers offer a recovery key or trusted contact option. Configure this when you first create the account. Losing access to a vault that holds all your credentials is a serious problem, and recovery options exist to prevent that scenario.
Also enable two-factor authentication on the password manager account itself. If someone guesses or steals your master password, 2FA is the thing that stops them from opening the vault.
Starting without starting over
The most common objection to adopting a password manager is that migrating existing accounts feels overwhelming. It doesn’t have to be.
You don’t have to change everything at once. Install the manager and its browser extension. When you log into a site, if the manager doesn’t already have the credentials saved, let it save them. When you encounter an account using a weak or reused password, take that moment to change it to something the manager generates. You’re migrating by habit rather than by audit.
Prioritize your most important accounts first. Your email account is the most critical. Whoever controls your email controls your ability to reset every other password. Then your financial accounts, your work systems, and anything that holds sensitive personal information. Get those secured before the rest.
Expect a few weeks, not an afternoon. If you sign into a handful of sites per day, you’ll have most things migrated within a couple of weeks without any dedicated effort. That’s fine. Each account you secure reduces your exposure even while the migration is still in progress.
Using it day to day
Once a password manager is in place, the experience is close to what you’re used to. You visit a site, authenticate with the manager — typically through Face ID, Touch ID, or your device PIN — and the credentials fill in automatically. You don’t type the password. Most of the time you don’t even see it.
When you create a new account anywhere, have the manager generate the password immediately. Don’t invent one yourself. Accept whatever string it produces, let it save, and move on. The manager will fill it in every time.
Is it safe to store all your passwords in one place?
This is the question most people ask first, and it’s worth answering directly.
Reputable password managers don’t store your passwords in a form that can be read. They store encrypted data that can only be decrypted with your master password. The master password is never sent to or stored by the service — only you have it. If an attacker stole the company’s database, they’d have ciphertext they can’t open without your key.
This is categorically different from a company storing your plain-text password, or a weakly hashed version. When password manager companies have had security incidents, the actual exposure was limited because of this architecture. That said, transparency matters — stick with companies that have a public security track record and disclose incidents promptly.
No system is perfectly secure. But a password manager with a strong master password and two-factor authentication enabled is significantly more secure than the alternative: reusing a handful of passwords you can actually remember.
The bottom line
Reusing passwords is the single most common reason one breach turns into many. The fix is using a different password on every account — which is impractical without a password manager, and straightforward with one.
Pick a manager, install it today, and start with your most critical accounts. You don’t need to change everything at once. Every account you secure with a unique password is one an attacker can’t reach through credential stuffing, regardless of what else gets breached.