27 items

Password Manager Setup

The setup most people delay for years takes about two hours. This checklist covers every step — choosing the right manager, creating a master passphrase you'll actually remember, migrating what you already have, and locking down recovery options before you ever need them. For more background and examples, see the guidance below; for built-in tools and options, use the quick tools guide.

Author

Checklistify Editorial Team

Last Updated

Checklist Items

0 done•27 left•5 of 6 sections collapsed

Choose a password manager that fits your devices, budget, and technical comfort level.

Bitwarden is free, open-source, and has passed independent security audits — the right choice for most individuals starting out. 1Password costs around $3/month and offers the most polished interface across platforms, plus a Travel Mode that temporarily hides vaults when crossing international borders. Dashlane includes dark web monitoring in its paid tier but costs more for comparable core features. KeePass is entirely free and offline-only, but requires you to manage your own sync (via Dropbox, iCloud, etc.) and has a steeper learning curve. If you're unsure: start with Bitwarden's free plan. Exporting and switching managers later is straightforward and takes under an hour.

Create your account directly on the official website — not through an app store link or a search ad.

App stores and search results can surface convincing counterfeits with similar names, logos, and even reviews. Type the official URL directly into your browser: bitwarden.com, 1password.com, or dashlane.com. Creating the account on the official site also ensures your subscription billing is tied to a legitimate account and that you'll receive authentic security notifications — not phishing emails impersonating the service.

Install the browser extension for every browser you use regularly — this is what you'll interact with daily.

The browser extension is the operational core of a password manager. It detects login forms automatically, offers to fill your credentials, and prompts you to save new ones as you create accounts. Without it, you'd need to manually copy-paste from a separate app — a friction point that causes most people to stop using the manager within a week. Chrome, Firefox, Edge, Brave, and Safari are all supported by major managers. If you use multiple browsers, install the extension in each one, or commit to doing all your logins through one browser.

Install the mobile app and configure it as your phone's autofill provider.

On iPhone: go to Settings → Passwords → Password Options, select your password manager, and disable iCloud Keychain to prevent both systems prompting you at once. On Android: go to Settings → General Management → Passwords and Autofill, then select your manager. This step is what allows your manager to fill credentials inside native apps — your banking app, your email client, your airline app — not just websites. After enabling it, open one app you use regularly and verify that the autofill prompt from your manager appears.

Confirm the extension and app are both connected and unlocking correctly before proceeding.

Log into both the desktop extension and the mobile app with your new account credentials and verify the vault is accessible in each. Many managers separate the unlock step — your master password authenticates you, then a PIN or biometrics unlocks the app for day-to-day use. Configure the PIN or biometric unlock on mobile now: you'll use biometrics for the vast majority of unlocks and your master password only rarely. Confirming both environments work before you begin migrating passwords prevents discovering a setup issue later when you actually need access.

Create a master passphrase using four to six genuinely random, unrelated words.

A passphrase like 'Copper-Marble-Eleven-Glove-River' or 'staple-cobalt-nineteen-fern-lantern' is both more memorable than a complex 12-character password and orders of magnitude harder to crack by brute force — the longer total length overwhelms any pattern-based attack. The words must be genuinely random: not a sentence that makes grammatical sense, not a quote you like, and not words that relate to you personally (hometown, spouse's name, pet, favorite team). You can generate a truly random list using the EFF Large Wordlist, which pairs a dice roll with a word for each selection — this is the gold standard for passphrase generation.

Test your passphrase by typing it from memory three times before completing account setup.

This catches the most expensive setup mistake: discovering you mistyped your passphrase during creation and now have a vault you cannot open. Most managers display the passphrase as you type it during setup — do not copy it digitally. Instead, write it on paper and then close the screen and type it from memory three times in a row. If you hesitate or mistype even once, your passphrase isn't as memorized as you thought. Either practice it more or choose a different set of words.

Write your master passphrase on paper and store it somewhere physically secure and separate from your devices.

A home safe, a locked filing cabinet, or in the care of a trusted family member who could help you recover access in an emergency are all valid options. A sticky note on your monitor, a note app on your phone, a file on your desktop, or a draft email are not — these defeat the purpose of securing the passphrase. The written copy should be legible enough that you (or a trusted person) could read it under stressful circumstances, for example if you were injured and someone needed to access a critical account on your behalf.

Download, print, and securely file your emergency recovery kit or secret key alongside your passphrase paper.

1Password generates a Secret Key during account creation — a long alphanumeric string required in addition to your master password when logging in on a new or unfamiliar device. Bitwarden provides a Two-step Login recovery code and supports an emergency export option. These are entirely separate from your master password and are required for account recovery when you no longer have an authorized device. Print them, file them with the passphrase paper, and store both in the same physically secure location. Ask yourself: if your phone and laptop were both lost or destroyed tonight, could you still access your vault? If the answer is no, your recovery documentation is in the wrong place.

Export saved passwords from your primary browser as a CSV file.

Chrome: Settings → Autofill and passwords → Google Password Manager → Settings → Export passwords. Firefox: open about:logins, click the three-dot menu, choose Export Logins. Safari: Settings → Passwords → three-dot menu → Export. Edge: Settings → Passwords → three-dot menu → Export passwords. Each creates a CSV file listing every saved username, password, and URL. The total count will likely surprise you — most people with years of browser history discover 100 to 300 saved entries, many from accounts they'd forgotten existed.

#10

Import the exported CSV file into your password manager using its built-in import tool.

Find the import option in your manager's Settings or Vault section — the official help documentation lists the exact navigation path for your manager and browser combination. Most managers support direct import from Chrome, Firefox, Safari, Edge, and LastPass. The import itself takes under a minute regardless of how many entries you have. After importing, open the vault and spot-check five or ten entries at random to confirm the URLs, usernames, and passwords transferred correctly. Also verify the total entry count is roughly consistent with the number of rows in the CSV.

#11

Securely and permanently delete the exported CSV file immediately after a successful import.

The exported file is a plaintext document listing every credential you just imported — it is acutely sensitive and should exist for the minimum time necessary. On Mac: right-click the file, Move to Trash, then use Cmd+Shift+Delete to empty the Trash permanently. On Windows: select the file and press Shift+Delete to skip the Recycle Bin entirely. Do not leave this file in your Downloads folder, do not email it to yourself, and do not upload it to cloud storage even temporarily. If you accidentally synced it to iCloud or Google Drive before deleting, remove it from those services as well and empty their trash.

#12

Manually add important accounts that were never saved in your browser.

Browser password managers only capture what you log into through the browser — they miss anything accessed natively as an app. Think through these categories: banking and investment apps you log into directly on your phone, insurance portals, government services (tax authority, social security, DMV), healthcare patient portals, employer HR systems, utility accounts, and loyalty or rewards programs. For each, either log in through the browser and let the extension capture the credential, or add the entry manually in your manager's vault. This phase is tedious but gives you a complete picture of how many accounts exist outside your browser.

#13

Disable your browser's built-in password saving so it no longer competes with your manager.

Chrome: Settings → Autofill and passwords → Google Password Manager → Settings → turn off 'Offer to save passwords' and 'Sign in automatically.' Firefox: Settings → Privacy & Security → uncheck 'Ask to save logins and passwords for websites.' Safari: Settings → Passwords → turn off AutoFill or configure it to point only to your manager. Edge: Settings → Passwords → turn off 'Offer to save passwords.' Running both systems simultaneously causes the browser to silently save credentials that are already in your manager but might differ (old passwords, updated passwords), creating confusion about which version is current.

#14

Enable two-factor authentication on the password manager account itself — this is the most important 2FA you will configure.

Your password manager is the account that controls all other accounts. It warrants the strongest protection you apply to anything. Use an authenticator app (Google Authenticator, Authy, or the manager's own TOTP if supported) rather than SMS — SMS-based 2FA is vulnerable to SIM-swapping attacks where an attacker convinces your carrier to transfer your number to their device. If your manager supports hardware security keys such as a YubiKey, that is the strongest available option. Enable this before you finish setup, not as an afterthought.

#15

Install an authenticator app on your phone now, before you begin enabling 2FA across other accounts.

You'll need an authenticator app for dozens of accounts going forward, so set one up at the start rather than discovering you need it mid-process on every site. Authy is recommended for most users because it backs up your 2FA tokens encrypted to the cloud — this prevents permanent lockout if your phone is lost, damaged, or replaced. Microsoft Authenticator and Apple's built-in Passwords app are also solid choices. Google Authenticator no longer backs up by default on all platforms, which means losing your phone without a backup loses all your codes. Install and configure your chosen app now, then use it for the manager's 2FA setup.

#16

Designate an emergency contact within your password manager if the feature is available.

Bitwarden's Emergency Access and 1Password's Emergency Kit sharing allow you to designate a trusted person — a spouse, parent, or close friend — who can request access to your vault if you are incapacitated. In Bitwarden, the designated contact submits a request and you receive a notification. If you don't decline it within a time window you define (24 hours, 72 hours, 7 days), access is granted. This means you remain in control — an attacker cannot simply claim to be your emergency contact and immediately get access. Set this up before you need it; it cannot be configured retroactively in a crisis.

#17

Save one-time backup codes from any account that provides them to a Secure Note in your vault.

When you enable 2FA on an account, many services display a set of one-time backup codes — typically 8 to 10 codes that each work once if you lose your authenticator access. These codes are often shown only once and cannot be retrieved later. Create a Secure Note in your password manager (a dedicated note type separate from login entries, available in most managers) and record these codes there with the account name and the date generated. Label them clearly: 'Google — 2FA Backup Codes — generated March 2026.' Without these, losing access to your phone without an authenticator backup means a lengthy account recovery process, or in some cases, permanent lockout.

#18

Run your password manager's built-in security audit and read the full results before acting on any of them.

The audit identifies three categories: reused passwords (the same password used across multiple sites), weak passwords (short, simple, or dictionary-based), and compromised passwords (found in known breach databases via services like Have I Been Pwned). Read the full report before you start changing anything — this gives you an accurate picture of the scope and lets you prioritize intelligently rather than starting with whichever account appears first alphabetically. Most people with years of browser-saved passwords discover 50 to 150 flagged items on the first audit. This number is not a failure — it is the full scope of the project you are now actually addressing.

#19

Change your primary email account password first — generate a unique random password of 20 or more characters.

Your email inbox is the master recovery key for nearly every other account you own. An attacker who controls your email can trigger 'forgot password' flows on your bank, social media, cloud storage, and e-commerce accounts, intercept the reset links, and take over each one. This makes email the single highest-value credential you have. Generate a 20+ character random password using your manager's generator (letters, numbers, symbols). You will never need to type this password manually — the manager handles it every time — so length is no inconvenience. Update it before any other account.

#20

Change all financial account passwords immediately after email — banking, brokerage, cryptocurrency, and payment platforms.

After email, financial accounts represent the most direct monetary exposure. Work through them in order of potential damage: primary checking and savings accounts, investment and brokerage accounts, any cryptocurrency wallets or exchange accounts, and payment platforms such as PayPal, Venmo, or CashApp. Enable 2FA on every financial account that supports it during this same pass — most banks and brokerages now offer authenticator app or SMS options. If a financial institution doesn't support any form of 2FA, note it explicitly; that is a meaningful limitation of that institution's security posture.

#21

Update the remaining flagged accounts at a steady pace of five to ten per day until the audit is clean.

Attempting to update every flagged account in a single session almost always results in stopping at the halfway point from mental fatigue. Five to ten accounts per sitting takes about 15 minutes and clears a typical backlog of 100 accounts in one to two weeks. Open the audit report, pick the next group, update each one, save the new password when the extension prompts you, and close. Track progress by noting the total flagged count at the start and watching it fall each day. Accounts on services you no longer use can be deleted rather than updated — this is a good opportunity to close dormant accounts entirely.

#22

As you update each account's password, check for 2FA support and enable it in the same visit.

Combining the password update and 2FA setup into a single session per account is the most efficient approach and prevents the need for a second pass through every account later. After updating the password, navigate to the account's security settings and look for labels like 'Two-Step Verification,' 'Authenticator App,' or 'Multi-Factor Authentication.' Scan the QR code with your authenticator app, enter the test code to confirm it works, and immediately save any provided backup codes to a Secure Note in your vault before navigating away. Accounts that offer only email-based 2FA still benefit — that's one additional barrier an attacker must clear.

#23

Use the password generator for every new account going forward — never invent a password manually again.

The permanent behavioral shift is simple: when you sign up for any new service, click the extension or let it detect the registration form, generate a password (20+ characters recommended as the default), and save it. You will not know what the password is, and that is exactly the design. Passwords invented by humans — even ones that feel complex and unique — follow patterns that automated cracking tools are specifically built to exploit: keyboard walks, word+number combinations, substituted letters. Generated passwords have no pattern at all.

#24

Always accept the browser extension's prompt to save a newly entered credential — never dismiss it.

When you log into an account the extension hasn't seen before, it will offer to save the credential. If you dismiss this prompt, that account is absent from your vault. Future you will search for it, find nothing, trigger a 'forgot password' flow, generate a new password that may or may not get saved, and end up with a patchy vault full of gaps. Consistent saving from day one is the habit that makes the system comprehensive. If a site's login form doesn't trigger autofill correctly (some single-page apps don't), add the credentials manually through the vault interface rather than leaving them unsaved.

#25

Run the security audit monthly until the report shows zero issues, then shift to quarterly checks.

New breach databases are published continuously — credentials that were clean last month may appear flagged today because a breach from years ago was only recently indexed. A monthly check takes under two minutes: open the manager, navigate to the audit section, scan for new flags, and handle anything that appears urgent. Once your vault is fully clean, a quarterly review maintains that status with minimal ongoing effort. Many managers offer push notifications or email alerts when your credentials appear in a new breach — enable this feature if available, as it surfaces urgent issues between scheduled audits.

#26

Before any international trip, review which vaults or items to hide if your manager supports Travel Mode.

1Password's Travel Mode lets you designate specific vaults as 'safe for travel' and removes all other vaults from the app while the mode is active. A device inspection at a border checkpoint would see only the accounts you've chosen to show. Before a trip: identify vaults to hide, enable Travel Mode in account settings, open the app and verify the hidden vaults are not visible, and then travel. After clearing customs on return, disable Travel Mode to restore full access. If your manager lacks this feature, consider what a border agent would see if they examined your unlocked phone — that assessment alone tells you how sensitive your vault's contents are.

#27

📖 How your reused passwords get exploited — automatically and at scale

When any website is breached, the stolen credentials typically appear for sale on underground markets within days. Automated tools then test each username-and-password pair against hundreds of other services simultaneously — a technique called credential stuffing. No human effort is required per attempt; the tool simply runs down the list and logs every successful match. Someone who reused a forum password from 2019 might find their Amazon or PayPal account compromised years later, once that forum's database was purchased and fed into an attack script.

The breach-to-attack timeline has compressed sharply. In 2018, researchers estimated the average gap between a credential breach and its first weaponized use was over a year. By 2023, that window collapsed to days or hours for freshly leaked databases. A password that feels old and harmless is still being actively tested somewhere right now — the tools don't care when the breach happened, only whether the credential still works.

💡 What "the company can't see your passwords" actually means

Password managers encrypt your vault on your own device before it ever reaches their servers. The company stores only encrypted data they cannot decrypt — not readable passwords. This is called zero-knowledge architecture. If the company's servers are breached, attackers receive encrypted files, not credentials. This is fundamentally different from how most websites store passwords and from how browser password saving works, where the platform provider can technically access your stored data under certain conditions.

⚠️ What the 2022 LastPass breach actually taught the industry

LastPass suffered a major breach that exposed encrypted vaults. Users with weak master passwords faced genuine risk — attackers could attempt offline brute-force decryption without rate limits, running billions of guesses per second on their own hardware. Users with strong, long master passphrases remained protected because the encryption held. The lesson wasn't "avoid password managers" — it was that your master passphrase is the final barrier, and its strength is the variable that actually determines your exposure if a breach occurs.

🔧 Shared accounts: the coordination problem the checklist doesn't solve alone

Most households share credentials for streaming services, home Wi-Fi, utility portals, and smart home systems. A password manager handles this elegantly through shared vaults — but only if both people use the same manager and a plan that includes sharing. Family plans (available on Bitwarden and 1Password) include a shared vault both accounts can read and update in real time. When the streaming password changes, one person updates the shared entry and the other's autofill reflects it automatically. Without this, the typical workaround is texting the password — creating two out-of-sync copies, neither of which will be updated when the next password rotation happens.

Work accounts present a separate consideration that catches people off guard: credentials owned by an employer should not live in your personal vault. If you leave a job, you don't want to manually sort employer credentials from personal ones, and the employer doesn't want their systems' passwords inside a vault they no longer control. Consider maintaining work credentials in a separate vault or using a manager your employer provisions — many organizations provide 1Password Business or Bitwarden Teams accounts for exactly this reason.

🧮 What an account takeover actually costs — beyond the headlines

Account type	Typical damage	Recovery friction
Email	All linked accounts at risk; contacts receive phishing from your address	Days to weeks; cascading damage
Online banking	$200–$10,000+ in fraudulent transfers; Regulation E disputes take weeks	Weeks; partial financial recovery
E-commerce	Fraudulent orders shipped to third parties; stored card data exposed	3–10 days for chargebacks
Social media	Account sold, used to scam your contacts, or ransomed back to you	Days to permanent loss
Cloud storage	Files ransomed or leaked; sensitive documents exposed permanently	Varies; sometimes irreversible

Financial damage from a bank breach is often partially recoverable with enough persistence — filing disputes, working with fraud departments, and waiting. The non-financial costs are consistently underestimated: hours spent on hold, credit freeze filings, identity monitoring subscriptions that run for years, and the sustained low-grade anxiety of not knowing what the attacker accessed or copied before you regained control.

✅ How to know when you're actually done — not just started

Many people import their browser passwords, see a large vault, and consider themselves finished. They're roughly one-third of the way there. The setup phase is genuinely complete when: your vault contains entries for every account you use regularly — not just browser-saved ones — the security audit shows zero reused or compromised passwords, your email and every financial account has both a unique generated password and an active 2FA method, you've successfully logged into the vault from your phone at least once to verify the mobile setup is functional, and your recovery documentation is physically filed somewhere you could find it under pressure.

After that point, your interaction with the manager becomes largely passive. Autofill handles the overwhelming majority of logins without you thinking about it. The generator handles every new signup. The audit surfaces new issues in the background. The active time investment drops to a few minutes per month. Most people find that after 30 days of consistent use, the idea of creating or typing a password manually feels as strange as calculating a spreadsheet by hand when software exists to do it instantly.

Master This Checklist Quickly

Every important button and option for this pre-made checklist, shown in a glance-friendly format.

Start Here

1
Click any item row to mark it complete.
2
Use the note row under each item for quick notes.
3
Use the tool row for undo, redo, reset, and check all.
4
Use Save Progress when you want to continue later.

Checklist Row Tools

UndoRedoResetCheck allCollapse/Expand sectionsShow/Hide detailsInline notes

Top Action Buttons

Open all sharing and export options in one menu.

Email DraftContinue on another devicePrint or Save as PDFPlain Text (.txt)Word (.docx)Excel (.xlsx)

Add & Ask

Open one menu for apps and AI guidance.

NotionTodoist CSVChatGPTClaude

Copy and customize

Create a new editable checklist pre-filled with your chosen content.

Save Progress

Adds this checklist to My Checklists and keeps your progress in this browser.

Most Natural Usage

Track over time

Check items -> Add notes where needed -> Save Progress

Send or export

Open Share -> Choose format -> Continue

Make your own version

Copy and customize -> Open create page -> Edit freely

Password Manager Setup

Checklist Items

Choose and Install

Create and Protect Your Master Password

Migrate Your Existing Passwords

Lock Down Your Recovery Options

Audit and Update Weak Passwords

Build the Habits That Make the System Work