Plain-English money news for everyday Americans

,

Password Managers: The Basics of Safer Logins

Close-up of a computer keyboard
Reused passwords are the weak link in most people’s financial security. A password manager removes the need to remember them at all. Photo: Chief Photographer / Wikimedia Commons (OGL v1.0).

Be honest: how many of your online accounts share a password, or share one with a slight variation, the old favorite with a different number or punctuation mark at the end? For most people the answer is “a lot,” and it is nothing to be ashamed of, because no human being can memorize dozens of long random strings. The problem is that criminals know this too, and reused passwords are how a breach at some forgettable shopping site becomes a raid on your email, and from there your bank.

The federal government’s cybersecurity agency has distilled password advice down to three words. According to the Cybersecurity and Infrastructure Security Agency’s guidance on strong passwords, every password should be long (CISA recommends at least 16 characters), random, and unique to that one account. Read that standard again and the conclusion writes itself: nobody can do this from memory. That is why the same guidance’s core recommendation is to let a password manager do it for you.

What a password manager actually does

A password manager is a program that generates, stores, and fills your passwords. You remember exactly one credential, the master password that unlocks your encrypted vault, and the manager handles the rest: it invents a long random password for each site, saves it, and types it for you when you return. Managers sync across your phone, tablet, and computer, so the vault is wherever you are.

The tools come in a few flavors. Dedicated password manager services offer the fullest feature sets, with free tiers and paid plans running a few dollars a month. The managers built into browsers and phone ecosystems have grown genuinely capable and cost nothing. For the basics (generate, store, fill, sync), any of the reputable options beats the notebook, the spreadsheet, and above all the recycled password. CISA’s advice is not brand-specific: use one.

The objection everyone raises

“Isn’t putting every password in one place exactly one basket for all my eggs?” It is a fair question with a solid answer. The vault is encrypted with your master password, and in a well-designed manager, the vendor itself cannot read your vault; only your master password unlocks it, on your device. Security researchers probe these products constantly, precisely because they are high-value targets.

Meanwhile, the realistic alternative is not a locked mental vault. It is reused and predictable passwords exposed in breach after breach, then tried automatically against banks, email providers, and retailers in what the industry calls credential stuffing. The comparison that matters is not “password manager versus perfection.” It is “one strong basket with a guard versus eggs scattered across every parking lot in town.” Choose a long, memorable master passphrase (a string of several unrelated words does nicely), never reuse it anywhere else, and the basket holds.

Add the second lock: multifactor authentication

Passwords alone, even great ones, should not carry your financial accounts by themselves. CISA’s companion advice is to turn on multifactor authentication everywhere it is offered, starting with email, banking, and anything storing payment details. MFA means a second proof beyond the password: a code from an authenticator app, a prompt on your phone, or a physical security key. An authenticator app or key is stronger than codes sent by text message, but any MFA is a large upgrade over none. Turn it on for the password manager itself too, and for the email account that can reset all your other passwords.

How to switch without losing a weekend

Do not try to migrate your whole digital life in one sitting; that is how the project dies. Instead, install a manager and let it capture logins as you use them, upgrading passwords as you go. Prioritize the accounts where a break-in costs real money or unlocks everything else: primary email first, then banks, brokerages, and retirement accounts, then payment apps and shopping sites with stored cards. Each time you touch one, let the manager generate a fresh 16-plus-character random password and save it.

While you are in each account’s security settings, do two more things: enable MFA, and check the recovery options (backup email addresses and phone numbers) to make sure they are current and actually yours. Most managers will also flag passwords in your vault that are weak or reused, which turns the cleanup into a checklist you can whittle down over a few evenings.

Guard the front door against the oldest trick

One caution keeps the whole system honest: no tool prevents you from being talked out of your credentials. Phishing sites imitate your bank’s login page and harvest whatever you type (the Federal Trade Commission’s phishing guidance shows the common lures), and scam callers posing as fraud departments ask you to read them the MFA code that just arrived, which is a request no legitimate company makes. A password manager quietly helps here in an underappreciated way: it fills passwords only on the exact website where it saved them, so when the manager refuses to autofill on a lookalike page, treat that hesitation as an alarm, not an inconvenience.

Long, random, unique, stored in a manager, backed by MFA, and never read aloud to anyone who calls you. That is the whole recipe, straight from the government’s cyber-defense agency, and it costs somewhere between nothing and a few dollars a month. Compared with the hours and money that follow a drained account, it is the cheapest insurance in your financial life.