What is a password manager — and could it stop your online accounts from being hacked?

Why are so many online accounts getting broken into?

Every year, hundreds of millions of usernames and passwords are stolen from websites and sold on the dark web. Criminals use lists of stolen passwords to try to log in to other sites automatically — a process known as “credential stuffing”. If you use the same password for your email, online banking, and shopping accounts, a breach at one site could unlock all of them.

According to Action Fraud, the UK’s national reporting centre for cybercrime, account takeover fraud is one of the fastest-growing types of online crime. The problem is rarely about hackers being especially clever — it is about people using the same simple, memorable passwords everywhere.

What exactly does a password manager do?

A password manager is an app or browser tool that stores all your usernames and passwords in an encrypted vault. When you visit a website, it automatically fills in your login details. You only need to remember one strong “master password” to unlock the vault — and the manager handles everything else.

Most password managers can also:

• Generate strong, random passwords for new accounts
• Warn you if one of your passwords has appeared in a known data breach
• Sync across your phone, tablet, and computer
• Store other sensitive information, such as credit card numbers or your passport details

The result is that every one of your accounts can have a different, strong password — without you needing to remember any of them.

Which password manager should you choose?

There are several good options, and the right one depends on what devices you use and how much you want to spend.

Free options that work well:

• Bitwarden — free, open-source, and widely recommended by security experts. Works on iPhone, Android, Windows, and Mac. Considered one of the most trustworthy options available.
• Apple Keychain — built into iPhones, iPads, and Macs. If you only use Apple devices, this is the simplest starting point — it is already there, costs nothing, and needs no extra setup.
• Google Password Manager — built into Android phones and the Chrome browser. Easy to use if you are in the Google ecosystem.

Paid options (typically £2–£4 per month):

• 1Password — particularly popular for families and very easy to use
• Dashlane — good interface, includes dark web monitoring as standard

One manager worth approaching with caution is LastPass — it suffered significant data breaches in 2022 and 2023 that exposed encrypted user vaults. Security experts now generally recommend alternatives.

How do you get started with a password manager?

Getting started is simpler than it sounds. Here is a straightforward approach:

1. Choose one — if you have an iPhone or iPad, try Apple Keychain first since it is already built in. If you use a mix of devices, try Bitwarden (free at bitwarden.com).
2. Create your master password — make it long rather than complex. Three or four random words joined together (for example, “purple-kettle-mountain-seven”) are far harder to crack than a short string of symbols.
3. Add your most important accounts first — start with your email, then your bank, then anything connected to finances or health.
4. Let it generate new passwords gradually — when you next log in to a site and update your password, let the manager create a strong one for you. Over a few weeks, you will naturally migrate your most-used accounts.

You do not need to change everything in one go. Even moving your email and banking passwords to a unique, strong option straight away gives you much better protection.

Is it really safe to put all your passwords in one place?

This is the question most people ask — and it is a fair one. The short answer is yes, provided you use a reputable password manager and choose a strong master password.

Well-designed password managers encrypt your vault before it ever leaves your device. Even if the company’s servers were hacked, attackers would only get scrambled data that is useless without your master password. Your vault is protected by mathematics, not just trust.

The National Cyber Security Centre (NCSC) — the UK government’s cybersecurity authority — explicitly recommends password managers in its guidance for individuals and small businesses. It notes that writing passwords in a notebook kept at home is actually safer than reusing weak passwords across websites. A password manager is simply a better, more practical version of that notebook.

What else can you do to protect your accounts?

A password manager is the single most effective step most people can take, but a few other habits make a real difference:

• Turn on two-step verification (2FA) wherever possible — especially for email and banking. This means even if someone has your password, they still cannot get in without a code sent to your phone.
• Keep your devices updated — software updates patch security holes that criminals exploit. When your phone prompts you to update, it is worth doing it promptly rather than dismissing it.
• Protect your email above all else — your email is the master key to most of your other accounts, because it is used to reset passwords everywhere. Make it unique and strong.
• Check if your details have already been leaked — visit haveibeenpwned.com (a free, trustworthy service run by a respected security researcher) and enter your email address to see if it has appeared in any known breaches.