Password Manager Setup

ContextA passphrase like 'Copper-Marble-Eleven-Glove-River' or 'staple-cobalt-nineteen-fern-lantern' is both more memorable than a complex 12-character password and orders of magnitude harder to crack by brute force — the longer total length overwhelms any pattern-based attack. The words must be genuinely random: not a sentence that makes grammatical sense, not a quote you like, and not words that relate to you personally (hometown, spouse's name, pet, favorite team). You can generate a truly random list using the EFF Large Wordlist, which pairs a dice roll with a word for each selection — this is the gold standard for passphrase generation.

ContextThis catches the most expensive setup mistake: discovering you mistyped your passphrase during creation and now have a vault you cannot open. Most managers display the passphrase as you type it during setup — do not copy it digitally. Instead, write it on paper and then close the screen and type it from memory three times in a row. If you hesitate or mistype even once, your passphrase isn't as memorized as you thought. Either practice it more or choose a different set of words.

ContextA home safe, a locked filing cabinet, or in the care of a trusted family member who could help you recover access in an emergency are all valid options. A sticky note on your monitor, a note app on your phone, a file on your desktop, or a draft email are not — these defeat the purpose of securing the passphrase. The written copy should be legible enough that you (or a trusted person) could read it under stressful circumstances, for example if you were injured and someone needed to access a critical account on your behalf.

Context1Password generates a Secret Key during account creation — a long alphanumeric string required in addition to your master password when logging in on a new or unfamiliar device. Bitwarden provides a Two-step Login recovery code. These are entirely separate from your master password and may be required for account recovery when you no longer have an authorized device. Print them, file them with the passphrase paper, and store both in the same physically secure location. Ask yourself: if your phone and laptop were both lost or destroyed tonight, could you still access your vault? If the answer is no, your recovery documentation is in the wrong place.

ContextChrome: Settings → Autofill and passwords → Google Password Manager → Settings → Export passwords. Firefox: open about:logins, click the three-dot menu, choose Export Logins. Safari: Settings → Passwords → three-dot menu → Export. Edge: Settings → Passwords → three-dot menu → Export passwords. Each creates a CSV file listing every saved username, password, and URL. The total count will likely surprise you — most people with years of browser history discover 100 to 300 saved entries, many from accounts they'd forgotten existed.

ContextFind the import option in your manager's Settings or Vault section — the official help documentation lists the exact navigation path for your manager and browser combination. Most managers support direct import from Chrome, Firefox, Safari, Edge, and LastPass. The import itself takes under a minute regardless of how many entries you have. After importing, open the vault and spot-check five or ten entries at random to confirm the URLs, usernames, and passwords transferred correctly. Also verify the total entry count is roughly consistent with the number of rows in the CSV.

ContextThe exported file is a plaintext document listing every credential you just imported — it is acutely sensitive and should exist for the minimum time necessary. On Mac: right-click the file, Move to Trash, then use Cmd+Shift+Delete to empty the Trash permanently. On Windows: select the file and press Shift+Delete to skip the Recycle Bin entirely. Do not leave this file in your Downloads folder, do not email it to yourself, and do not upload it to cloud storage even temporarily. If you accidentally synced it to iCloud or Google Drive before deleting, remove it from those services as well and empty their trash.

ContextBrowser password managers only capture what you log into through the browser — they miss anything accessed natively as an app. Think through these categories: banking and investment apps you log into directly on your phone, insurance portals, government services (tax authority, social security, DMV), healthcare patient portals, employer HR systems, utility accounts, and loyalty or rewards programs. For each, either log in through the browser and let the extension capture the credential, or add the entry manually in your manager's vault. This phase is tedious but gives you a complete picture of how many accounts exist outside your browser.

ContextChrome: Settings → Autofill and passwords → Google Password Manager → Settings → turn off 'Offer to save passwords' and 'Sign in automatically.' Firefox: Settings → Privacy & Security → uncheck 'Ask to save logins and passwords for websites.' Safari: Settings → Passwords → turn off AutoFill or configure it to point only to your manager. Edge: Settings → Passwords → turn off 'Offer to save passwords.' Running both systems simultaneously causes the browser to silently save credentials that are already in your manager but might differ (old passwords, updated passwords), creating confusion about which version is current.

ContextYour password manager is the account that controls all other accounts. It warrants the strongest protection you apply to anything. Use an authenticator app (Google Authenticator, Authy, or the manager's own TOTP if supported) rather than SMS — SMS-based 2FA is vulnerable to SIM-swapping attacks where an attacker convinces your carrier to transfer your number to their device. If your manager supports hardware security keys such as a YubiKey, that is the strongest available option. Enable this before you finish setup, not as an afterthought.

ContextYou'll need an authenticator app for dozens of accounts going forward, so set one up at the start rather than discovering you need it mid-process on every site. Authy is recommended for most users because it backs up your 2FA tokens encrypted to the cloud — this prevents permanent lockout if your phone is lost, damaged, or replaced. Microsoft Authenticator and Apple's built-in Passwords app are also solid choices. Google Authenticator now supports syncing codes to your Google Account, but you should verify sync is enabled before relying on it for recovery. Install and configure your chosen app now, then use it for the manager's 2FA setup.

ContextBitwarden's Emergency Access allows you to designate a trusted person — a spouse, parent, or close friend — who can request access to your vault if you are incapacitated. In Bitwarden, the designated contact submits a request and you receive a notification. If you don't decline it within a time window you define (24 hours, 72 hours, 7 days), access is granted. If your manager instead relies on a recovery kit or secret key rather than an in-product emergency-contact feature, share that recovery material securely with the same trusted person. Set this up before you need it; it cannot be configured retroactively in a crisis.

ContextWhen you enable 2FA on an account, many services display a set of one-time backup codes — typically 8 to 10 codes that each work once if you lose your authenticator access. These codes are often shown only once and cannot be retrieved later. Create a Secure Note in your password manager (a dedicated note type separate from login entries, available in most managers) and record these codes there with the account name and the date generated. Label them clearly: 'Google — 2FA Backup Codes — generated March 2026.' Without these, losing access to your phone without an authenticator backup means a lengthy account recovery process, or in some cases, permanent lockout.

ContextThe audit identifies three categories: reused passwords (the same password used across multiple sites), weak passwords (short, simple, or dictionary-based), and compromised passwords (found in known breach databases via services like Have I Been Pwned). Read the full report before you start changing anything — this gives you an accurate picture of the scope and lets you prioritize intelligently rather than starting with whichever account appears first alphabetically. Most people with years of browser-saved passwords discover 50 to 150 flagged items on the first audit. This number is not a failure — it is the full scope of the project you are now actually addressing.

ContextYour email inbox is the master recovery key for nearly every other account you own. An attacker who controls your email can trigger 'forgot password' flows on your bank, social media, cloud storage, and e-commerce accounts, intercept the reset links, and take over each one. This makes email the single highest-value credential you have. Generate a 20+ character random password using your manager's generator (letters, numbers, symbols). You will never need to type this password manually — the manager handles it every time — so length is no inconvenience. Update it before any other account.

ContextAfter email, financial accounts represent the most direct monetary exposure. Work through them in order of potential damage: primary checking and savings accounts, investment and brokerage accounts, any cryptocurrency wallets or exchange accounts, and payment platforms such as PayPal, Venmo, or CashApp. Enable 2FA on every financial account that supports it during this same pass — most banks and brokerages now offer authenticator app or SMS options. If a financial institution doesn't support any form of 2FA, note it explicitly; that is a meaningful limitation of that institution's security posture.

ContextAttempting to update every flagged account in a single session almost always results in stopping at the halfway point from mental fatigue. Five to ten accounts per sitting takes about 15 minutes and clears a typical backlog of 100 accounts in one to two weeks. Open the audit report, pick the next group, update each one, save the new password when the extension prompts you, and close. Track progress by noting the total flagged count at the start and watching it fall each day. Accounts on services you no longer use can be deleted rather than updated — this is a good opportunity to close dormant accounts entirely.

ContextCombining the password update and 2FA setup into a single session per account is the most efficient approach and prevents the need for a second pass through every account later. After updating the password, navigate to the account's security settings and look for labels like 'Two-Step Verification,' 'Authenticator App,' or 'Multi-Factor Authentication.' Scan the QR code with your authenticator app, enter the test code to confirm it works, and immediately save any provided backup codes to a Secure Note in your vault before navigating away. Accounts that offer only email-based 2FA still benefit — that's one additional barrier an attacker must clear.

ContextThe permanent behavioral shift is simple: when you sign up for any new service, click the extension or let it detect the registration form, generate a password (20+ characters recommended as the default), and save it. You will not know what the password is, and that is exactly the design. Passwords invented by humans — even ones that feel complex and unique — follow patterns that automated cracking tools are specifically built to exploit: keyboard walks, word+number combinations, substituted letters. Generated passwords have no pattern at all.

ContextWhen you log into an account the extension hasn't seen before, it will offer to save the credential. If you dismiss this prompt, that account is absent from your vault. Future you will search for it, find nothing, trigger a 'forgot password' flow, generate a new password that may or may not get saved, and end up with a patchy vault full of gaps. Consistent saving from day one is the habit that makes the system comprehensive. If a site's login form doesn't trigger autofill correctly (some single-page apps don't), add the credentials manually through the vault interface rather than leaving them unsaved.

ContextNew breach databases are published continuously — credentials that were clean last month may appear flagged today because a breach from years ago was only recently indexed. A monthly check takes under two minutes: open the manager, navigate to the audit section, scan for new flags, and handle anything that appears urgent. Once your vault is fully clean, a quarterly review maintains that status with minimal ongoing effort. Many managers offer push notifications or email alerts when your credentials appear in a new breach — enable this feature if available, as it surfaces urgent issues between scheduled audits.

Context1Password's Travel Mode lets you designate specific vaults as 'safe for travel' and removes all other vaults from the app while the mode is active. A device inspection at a border checkpoint would see only the accounts you've chosen to show. Before a trip: identify vaults to hide, enable Travel Mode in account settings, open the app and verify the hidden vaults are not visible, and then travel. After clearing customs on return, disable Travel Mode to restore full access. If your manager lacks this feature, consider what a border agent would see if they examined your unlocked phone — that assessment alone tells you how sensitive your vault's contents are.