Expertspost · Practical guides, tested and explained
Home & Living · Tech & Gadgets · Productivity
Expertspost.
Practical guides for
home, tech & getting things done
About Free weekly letter
Expertspost Tech & Gadgets

Is a password manager worth it? After two years, yes

I resisted password managers for years because they felt like one basket holding all my eggs. Two years in, I was wrong about the risk and wrong about the hassle. Here is the honest case.

Daniel Reyes
Daniel Reyes
Founder & writer
 · Published April 29, 2026 · 8 min read
Is a password manager worth it? After two years, yes
Above: A laptop and phone both showing a password manager autofill prompt.

For years my password strategy was a clever-sounding base word with a number bolted on the end, varied just enough that I could usually guess which site got which version. I thought I was being smart. I was, in fact, reusing roughly the same password across forty accounts, which is the exact behavior that gets people's accounts drained one breach at a time.

Why I put it off for years

My objections were the common ones. Putting every password in one app felt like building a single point of failure. Setting it up sounded like a tedious weekend. And I assumed it would constantly get in my way, asking me to do extra steps on every login.

All three turned out to be either wrong or massively overstated. But I want to take the first one seriously, because "one basket" is the objection that actually deserves a real answer, and I will get to it.

What changed my mind

The trigger was getting one of those breach notification emails: a service I used had leaked its user database. Because I reused passwords, that one leak potentially exposed my email, a shopping site, and worse. I spent a frantic evening changing passwords by hand and realized I had no idea how many accounts shared that password. That is the moment the math flipped.

A password manager generates a long random password for every site, remembers all of them, and fills them in for you. The upshot is that a breach at one site stays contained to that site. There is no domino chain anymore. That alone justified it.

The day-to-day surprise was that it is faster, not slower. The browser extension and phone app recognize the login page, you tap your fingerprint or face, and it fills both fields. I log in quicker now than when I was typing my mediocre password from memory.

It also quietly fixed a problem I did not know I had: I no longer reset passwords constantly. Half my old "forgot password" clicks happened because I could not remember which variation a site used. Now there is one source of truth. The little reset-email dance that used to eat five minutes a week just stopped happening, which on its own nearly justified the switch.

The whole pitch is simple: you remember one strong password, and the software remembers the other two hundred.

The 'all eggs in one basket' worry

This deserves a straight answer. Yes, your vault is one container. But it is encrypted with your master password in a way that means the company storing it cannot read it, and a thief who steals the encrypted file still has to crack your master password to get anything. Reputable managers use strong encryption and never see your master password.

So the basket is real, but it is a vault, and the alternative is keeping your eggs scattered across forty flimsy baskets that share the same weak latch. The reused-password approach is the genuinely dangerous one. I had it backwards.

Two rules make the basket safe. First, your master password must be strong and unique, ideally a long passphrase of a few random words you can actually remember, and used nowhere else. Second, turn on two-factor authentication for the manager itself, so even a stolen master password is not enough. Do those two things and the single-point-of-failure worry mostly evaporates.

How to pick one

The options have matured a lot. A few honest pointers:

  • Bitwarden is open-source and has a genuinely usable free tier. It is what I recommend to skeptical friends because it costs nothing to try.
  • 1Password is polished and family-friendly, with the nicest interface, but it is subscription-only.
  • The one built into your browser or phone (Apple Passwords, Google Password Manager) is far better than reusing passwords and free. The trade-off is it is less convenient across different ecosystems. If you live entirely in Apple or entirely in Google, it is a fine starting point.

Avoid storing passwords in a plain notes file or a spreadsheet. That is the worst of both worlds: one basket with no lock. The browser's "remember this password" prompt is a step up from that, but the dedicated managers do more: they generate strong passwords, warn you about reused and breached ones, sync cleanly across phone and laptop, and store more than logins, like recovery codes and software licenses.

One feature I underrated at first is secure sharing. My partner and I share a few logins, the streaming services and the utility accounts, and the manager lets us share those specific entries without either of us seeing the other's personal vault. That beats the old method of texting each other passwords, which is exactly the kind of thing you should never do.

Getting started without a bad week

The mistake is trying to convert all forty accounts in one sitting. You will burn out by account number eight. Instead, do it gradually.

  1. Install the manager, create a strong master password, and write that one master password on paper stored somewhere safe at home. This is the one password you cannot recover if you forget it.
  2. Turn on two-factor authentication for the manager.
  3. Add the browser extension and phone app, and let it offer to save logins as you go about your normal week.
  4. Update your handful of important accounts first: email, banking, and your main shopping sites. Email especially, because it can reset everything else.
  5. Let the rest fill in naturally over the next month as you log into things.

Most managers have a built-in audit that flags reused and weak passwords, which gives you a tidy to-do list. I knocked mine down a few entries at a time during ad breaks. Many will also check your accounts against known data breaches and flag any password that has shown up in a leak, which is a genuinely useful nudge to change the ones that matter.

Two practical worries people raise deserve quick answers. What if the company goes out of business? Reputable managers let you export your whole vault to a file you can import into a competitor, so you are never locked in. And what about getting locked out yourself? Set up the account's recovery options when you create it, write the master password on paper stored at home, and you have a fallback. The failure modes are real but manageable, and they are far less likely to bite you than the near-certainty of a breach somewhere reusing your old password.

Two years on, I cannot tell you a single password I use, and that is the point. It pairs naturally with knowing how to recognize a phishing email, because a password manager will refuse to autofill on a fake lookalike domain, which is a quiet extra layer of protection I did not expect. If I lost my phone tomorrow, my accounts would be inconvenient to access but not exposed. That trade, one password to remember for the peace of mind, has been the easiest tech decision I have made in a long time.

Editorial note. Expertspost publishes practical, general how-to information. Steps, settings, and product details describe what worked for the author and may differ on your setup or model — check manufacturer instructions before making changes you can't undo. Nothing here is professional medical, legal, or financial advice. Read our full editorial & affiliate disclosure.
Daniel Reyes

Daniel Reyes

Founder & writer · Expertspost

Daniel Reyes writes Expertspost, where every guide gets tested before it's published. He covers the home, the tech you already own, and the small routines that make a busy week work — usually after trying them in his own apartment, including the parts that didn't go to plan. He's a writer, not a salesperson, and nothing on this site is professional medical, legal, or financial advice.

All articles by Daniel →

You might also read

More from Tech & Gadgets