What Is a Password Manager and Do You Actually Need One?
What a password manager does in plain English
A password manager is an encrypted vault that stores all your passwords. Instead of remembering 200 different passwords — or reusing the same 3 passwords everywhere, which is what most people actually do — you remember one master password that unlocks the vault, and the manager generates and stores unique passwords for every account you have.
When you visit a login page, the browser extension fills in your username and password automatically. When you create a new account, the manager generates a random 20-character password (something like xR#7mK!pQz$vNj2wL9@d) and saves it without you ever having to see or remember it.
The vault is encrypted with AES-256 — the same cipher used by the US government for classified communications. The encryption key is derived from your master password on your device; the company running the service never has access to your plaintext passwords or the key.
The honest case for needing one
Most people have 80-200 online accounts. The research on password behaviour is consistent: when people are responsible for more than about 7 passwords, they start reusing them across accounts.
Password reuse is the mechanism behind most account takeovers. Here’s how it works:
- A company you have an account with (it could be anything — a gaming forum, a shopping site, an old newsletter subscription) gets breached
- Your email address and password are included in the breached data
- Attackers run those credentials against every major service: Gmail, banking portals, Amazon, PayPal
- If you used the same password elsewhere, those accounts are now compromised — automatically, in seconds, at scale
This is called credential stuffing and it’s responsible for the majority of personal account compromises that are not direct phishing attacks. The Have I Been Pwned database has recorded over 14 billion breached credentials as of 2026.
A password manager makes credential stuffing impossible by ensuring you never reuse a password. Each account gets a unique, random credential. If one site is breached, the leaked password is useless everywhere else.
Who specifically needs one
You need a password manager if:
- You use the same password (or close variations) for more than one account
- You have ever used a common word, phrase, or pattern as a password (your pet’s name, your birthday + a number, “Password1!”)
- You have accounts you haven’t thought about in years — old shopping sites, forums, services you no longer use — that might have been breached without your knowledge
- You regularly access accounts from multiple devices (laptop + phone + tablet)
- You share account credentials with a partner, family member, or colleague by sending them in a text or email
You might not need a paid password manager if:
- You’re 100% within the Apple ecosystem (Mac, iPhone, iPad — no Windows), have fewer than 50 accounts, and don’t need family sharing. Apple Passwords (iOS 18+) does 90% of what a paid manager does for free.
- You’re a technical user comfortable maintaining a local encrypted database. KeePassXC + Syncthing is a defensible zero-cost option.
The Apple Passwords question
Apple shipped a standalone Passwords app in iOS 18 (September 2024), finally making the built-in option into a first-class password manager rather than a settings-buried convenience feature. For all-Apple households, this changes the calculus significantly.
Apple Passwords does well:
- Unlimited entries, unlimited Apple devices, free forever
- iCloud sync, Touch ID / Face ID unlock
- Passkey support
- Browser extension for Safari
Apple Passwords does not do well:
- Cross-platform to Windows: Apple provides a Chrome extension that works inconsistently and breaks occasionally after Windows updates
- TOTP seed storage: basic 2FA support, no dedicated authenticator with seed storage
- Sharing: limited — no per-entry permission control, no family vault with emergency access
- Migration out: if you ever need to leave Apple, the export is CSV-only with no TOTP, no folder structure, no attachments
The honest recommendation for all-Apple households: Use Apple Passwords. If you hit a limitation (you need Windows, your partner uses Android, you want TOTP storage), switch to 1Password. The migration from Apple Passwords to 1Password is manageable — credentials transfer cleanly even though folder structure and TOTP won’t.
What the LastPass breach means for “just use the browser’s built-in manager”
Chrome’s built-in password manager, Firefox’s saved passwords, Edge’s passwords — these are not password managers in the security sense. They store passwords with Google/Microsoft’s standard account encryption, not zero-knowledge encryption. Google and Microsoft can read your passwords if compelled to produce them.
This isn’t hypothetical. Government requests for Google and Microsoft account data are in the thousands per year in major jurisdictions. If your threat model includes government access to your passwords, browser-built-ins are not appropriate.
For most people, browser-built-ins are not a realistic threat vector. But they also lack:
- Phishing-resistant autofill (domain-bound filling)
- Cross-browser access (Chrome passwords don’t sync to Firefox)
- Secure note storage
- Family sharing
- Emergency access
- Password health reporting
If you’re using a browser’s built-in manager, you’re getting partial protection at best. A dedicated manager — even a free one like Bitwarden — is meaningfully better on every dimension.
How password managers actually protect you (the technical bit, kept short)
Your vault is encrypted before it ever leaves your device. The encryption key is derived from your master password using a Key Derivation Function (KDF) — typically Argon2id (Bitwarden) or PBKDF2 at very high iteration counts (1Password). This derivation is designed to be computationally expensive, making brute-force attacks on the master password impractical.
The encrypted vault is sent to the provider’s servers as ciphertext. The provider cannot decrypt it — they store only the encrypted blob. When you unlock your vault, the ciphertext is fetched and decrypted locally on your device.
This is called zero-knowledge architecture: the provider has zero knowledge of your vault contents. It’s the core security guarantee, and every credible password manager in 2026 implements it. The failure mode (as demonstrated by the LastPass breach) is not the architecture itself but the KDF: LastPass’s pre-2018 accounts used PBKDF2 with 5,000 iterations, which is tractable for GPU-based brute force against stolen ciphertext. Bitwarden’s Argon2id and 1Password’s PBKDF2 at 650K+ iterations are not.
The migration question
If you currently use no password manager, or if you use a browser built-in, the question is which manager to start with.
Default recommendation:
- Start with Bitwarden Free — unlimited entries, unlimited devices, zero-knowledge architecture, open-source codebase, four external audits. Free forever.
- If you want the smoothest onboarding experience and best iOS UX, use 1Password — 14-day trial, then £29/year.
- If you’re 100% Apple and just want to try things with zero friction, use Apple Passwords now and revisit in 6 months.
If you’re migrating from LastPass, read the migration fidelity section before switching — the choice of destination manager depends heavily on how many TOTP seeds you have.
Take the 60-second decision wizard for a personalised recommendation based on your devices, budget, household size, and whether you’re migrating from an existing manager.
Go deeper
- Stage 1 — Glossary Zero-Knowledge Architecture The foundational concept behind how secure managers work. Read →
- Stage 3 — Commercial The 8 Best Password Managers, 2026 Now you understand the concepts — pick your manager. Read →
- Stage 5 — Tool Migration Fidelity Matrix What data survives each migration? The only honest answer in the field. Read →