Password managers — why you need one and how to pick one

Most people are using three or four passwords for everything. The email login, something slightly different for banking, a version of a child’s name for shopping sites, and an old favourite that has been doing the rounds since university. It feels manageable in your head, which is the problem. The moment any single site that stores your credentials gets breached, the attackers do not try that one password in one place. They try it everywhere, at speed, with software written specifically for the purpose. This is called credential stuffing, and it is how most ordinary people end up with compromised accounts. It has very little to do with being individually targeted. You are a statistic in a spreadsheet of millions.

A password manager is a simple answer to a tedious problem. It is a piece of software that generates a unique, long, random password for every single site you use, stores all of them in an encrypted vault, and types them in for you when you need them. You remember one strong master password, and that is the only thing standing between you and the vault. Everything else is taken care of. You do not need to think about passwords again, which frees up the bit of your brain that has been worrying about this for a decade.

The dangerous thing about password reuse is that you have no way of knowing when a site you signed up for years ago quietly gets breached. The Have I Been Pwned database, run by the Australian security researcher Troy Hunt, currently lists around fifteen billion compromised credentials. If your email address has ever been in a data breach, and statistically it almost certainly has, then a password you reuse is already being tested against every major service in the world. A password manager breaks that chain. The password you use for your bank has nothing in common with the password for the gardening forum you signed up to in 2016, so a breach of one does nothing for the attacker trying to access the other.

The main consumer options worth looking at in 2026 are 1Password, Bitwarden, Dashlane, and the built-in managers from Apple and Google. LastPass used to be in this conversation but has had enough security incidents in the last few years that most independent reviewers now steer people elsewhere. If you are going to pay for a password manager, 1Password is the one that most security professionals recommend. It costs around thirty pounds a year for an individual plan or about fifty for a family plan covering five people, and the user experience is polished across every device. The family plan is often the right answer even for a couple, because it lets you share certain logins like the Netflix account or the energy supplier without having to text passwords to each other.

Bitwarden is the one to look at if you want something serious but do not want to pay. The free tier is genuinely usable rather than a crippled trial. You get unlimited passwords, syncing across all your devices, and the full core feature set. The paid tier is only ten pounds a year and adds extras like file attachments and emergency access. Bitwarden is open source, which matters because independent researchers can and do audit the code, and the company has been transparent about its security practices in a way some competitors have not. For most people who just want the basic job done well without ongoing cost, this is the most sensible choice.

Apple and Google both include password managers in their operating systems, and these have improved significantly over the past few years. iCloud Keychain and Google Password Manager will both generate strong passwords, store them, and fill them in for you across their respective ecosystems. If you live entirely inside one of those worlds, meaning you only use iPhones and Macs, or only use Android phones and Chrome, then the built-in option is better than nothing and in some respects is actually very good. The limitation is obvious the moment you try to log into a site on a device outside that ecosystem, or share a password with a partner who uses a different platform, or switch phones between brands. A dedicated password manager sits above all of that and works the same everywhere.

The question of which to pick really comes down to how much you care about cross-platform flexibility and whether you want to pay for polish. If you are happy to spend an hour setting things up properly and do not mind a slightly less pretty interface, Bitwarden free does the job for the rest of your life. If you want the experience to be as seamless as possible and you use several different devices, 1Password earns its fee. If you are deeply inside the Apple or Google ecosystem and only use those devices, the built-in option is a reasonable starting point, though you will probably want a dedicated manager later for anything sensitive.

The one thing that matters more than which product you pick is actually setting it up and migrating your real passwords into it. Most people who fail at this fail at the same step, which is the tedious initial import. The honest approach is to set aside an evening, install the manager of your choice, and then work through your most important accounts one at a time, changing each password to something generated by the manager. Start with email, banking, anything with a saved payment method, and any account linked to your identity like government services. The rest can be dealt with as you come across them in daily use. Within a few weeks you will have migrated everything without really noticing.

The master password itself deserves a moment of serious thought. It should be long, unique, and something you will never forget, because there is no recovery if you lose it. The current recommendation from security researchers is a passphrase of four or five random words rather than a short string of symbols and numbers. Something like correcthorsebatterystaple, to borrow the famous example, is far stronger and more memorable than a short cryptic password you will write on a sticky note because you cannot remember it. Once that master password is set and you have turned on two-factor authentication on the password manager itself, you have quietly fixed the single biggest hole in most people’s digital security. It is about half an hour of slightly tedious work for a lifetime of no longer having to worry about it.