The objection arrives before the explanation is even finished: you want me to put every password I own in one place? Is that not exactly the thing you people keep telling me not to do?

It is a good objection. It deserves a straight answer instead of a brochure, so here is one, including the worst thing that has actually happened to a password manager and what it proved.

What a password manager actually stores

The mental image behind the objection is a filing cabinet: your passwords, sitting in a company's building, readable by anyone who breaks in. That is not how the serious products work.

Reputable password managers use what is called zero-knowledge encryption. Your vault is encrypted on your own device, using a key derived from your master password, before anything is sent anywhere. The company stores an encrypted blob it cannot open. It does not have your master password, cannot reset it, and cannot read your vault even under subpoena. The filing cabinet is welded shut, and the company never had the key.

The entire system therefore rests on one thing: the strength of your master password. That is not a footnote. It is the design.

The worst case already happened

This is not theoretical. In 2022, LastPass, one of the largest password managers, suffered a breach in which attackers stole customers' encrypted vault backups. The worst-case scenario for the entire product category, realized.

What happened next is the honest lesson. The stolen vaults were encrypted, so attackers could not open them directly. They could only run cracking attempts against each vault's master password, offline, at their leisure. Users with long, unique master passwords had time to change their important credentials calmly. Users with short or reused master passwords were in genuine danger, and some were harmed.

Read that as the design working and failing in the same event. The architecture held: the company's breach did not directly expose a single readable password. The human layer decided everything: your master password was either a wall or a curtain. The breach also punished the company's slow, unclear disclosure, which is a fair thing to weigh when choosing a provider.

The comparison people actually face

The realistic choice is not "password manager" versus "some perfect memorized system." Nobody runs the perfect system. The realistic choice is:

Option A: a handful of passwords, reused with small variations across fifty accounts, every one of them exposed by whichever site gets breached next.

Option B: one strong passphrase you actually memorize, protecting sixty unique passwords you never need to know.

Option B concentrates your risk deliberately, into a single point you can actually defend, instead of scattering it across every website's security team, including the bad ones. That is not building a bigger target. It is trading fifty doors you cannot guard for one door you can.

If you adopt one, do these three things
  • Make the master password a long passphrase, four or five random words, used nowhere else on earth.
  • Turn on two-factor authentication for the manager itself.
  • Write the master passphrase on paper and store it somewhere genuinely safe at home. The realistic failure mode is forgetting it, not burglary.

What about the one built into my browser?

Honest answer: the password managers built into Chrome, Safari, and Edge are far better than reuse, and if a dedicated app is the obstacle that stops you, use the browser one without guilt. Dedicated managers earn their place with cross-platform coverage, secure sharing, breach alerts, and better protection if someone gets access to your unlocked computer. That is a meaningful difference for some people and an irrelevant one for others.

The line that matters is not browser versus app. It is unique versus reused. Cross that line with whichever tool you will actually use.

Keep reading

A manager fixes the password layer. The second lock on the door is two-factor authentication, and the kind you choose matters more than most people realize:

Not All Two-Factor Authentication Is Equal

Text-message codes, authenticator apps, and passkeys protect against very different attacks. Here is the ladder, and which accounts deserve the top rung.

← Back to all guides