Why You Should Use a Password Manager

Every few weeks, we hear the news that another major website has been hacked. Often these hacks mean your personal information has also been compromised. Recently, that happened with LastPass, a password management service that we once recommended. In this updated post, we cover the reasons why you should use a password manager like Bitwarden to protect your online identity, and how to get started with it — a free, open-source password manager.

Password Breach — Having your passwords stolen is a nightmare.

Passwords & Online Security Best Practices

Most websites rely on a simple login process for a user to gain access to their account — a username and password.

As an online security best practice, you need to have long, complex and unique password for every web account you use.

Strong passwords need to be:

Long — The more characters in a password, the longer it would take a hacker to guess your password.
Complex — By adding additional characters to your password you add complexity or password entropy. Password entropy is a measurement of how unpredictable a password is, based on the character set used (a combination of lowercase, uppercase, numbers, and symbols) as well as password length. Basically, your password needs to be something you could never pronounce.
Unique — You need a different password for every web account you use. Yep, that’s right. Every login on every website needs to be unique and never reused.

Unfortunately, in the real world, meeting all three criteria for strong passwords is basically impossible without the use of a password manager.

Always generate a strong, random password when creating a new online account. Bitwarden makes this easy.

Why Use a Password Manager? The Nightmare Scenario

So why is having a long, complex, unique password important for your website?

If you use the same email address and password for multiple websites that you log into, what happens when one of those websites gets hacked?

In this scenario, your email address and password will be shared by criminals and used to try to log into other websites where you may have an account. If you use the same email address and password for all your websites, hackers could log into all your accounts at once.

Once your password has been compromised, you now have the challenge of updating your information individually on every single website that has the same login information. Do you even remember them all? If you use the same email and password again on each one, you’re probably going to have to repeat this process again in the future.

You can use haveibeenpwned.com to find out if your email address has appeared in any known security breaches and is now available to hackers and criminals. The Mozilla Firefox browser’s built-in password manager integrates with haveibeenpwned.com and will notify you when your information has appeared in new breaches.

Don’t Use Common Passwords

Here’s Nordpass’s list of the most common passwords of 2023. Do you recognize any of them?

1. password	11. 1234567	21. D1lakiss
2. 123456	12. 1234	22. 1q2w3e4r5t
3. 123456789	13. 1234567890	23. 110110jp
4. guest	14. 000000	24. 1111
5. qwerty	15. 555555	25. 987654321
6. 12345678	16. 666666	26. 121212
7. 111111	17. 123321	27. Gizli
8. 12345	18. 654321	28. abc123
9. col123456	19. 7777777	29. 112233
10. 123123	20. 123	30. azerty

Password Managers vs. Browser Password Storage

A Password Manager such as Bitwarden not only remembers your login information — it also helps you generate long, complex passwords and stores them and other information securely.

While most major web browsers today will offer to remember your passwords and fill them in automatically for you, this is generally not a secure practice.

Bitwarden vs. Other Password Managers

There are several excellent options for Password Managers available:

Ultimately, using any one of these password managers is a good choice, but we recommend Bitwarden because it is free, open source, and offers the most value in its free and paid features.

Why does open source matter? Anyone is free to inspect, copy, use, and modify open source software. You could set up your own Bitwarden password management server. Most of us won’t do that, but because we can others will. And with the Bitwarden codebase in the public eye, any major bugs and security issues that arise will not be secrets. They’ll be promptly fixed. Because it’s open source, Bitwarden users are very unlikely to ever see unpatched vulnerabilities go unaddressed or be deliberately hidden from them.

Getting Started with Bitwarden

In this next section, we’ll cover how to get started with Bitwarden.

Bitwarden Home Page — Getting started with a free, personal account at Bitwarden.

1. Create a Free Account

First, head over to bitwarden.com and click the View Plans & Pricing button in the header.
Next, select the Personal tab and click the Create Free Account button.
Then fill out the registration form and walk through the steps to create your account.

Bitwarden Pricing Screen — Bitwarden is free, open source software, and it offers the most value in its free and paid features.

2. Create Your Master Password

The most important part of this process is creating your master password. This password is the master key to all the other passwords you add to your account. It’s the only one you need to know, so make it memorable but strong.

Example: Al@b@m@Cr!ms0nT!d3 (No that’s not my real password!)

All your information is encrypted based on this Master Password. Not even LastPass can access your info without it – so don’t lose it!

It’s a good idea to enable two-step or two-factor authentication (2FA) for your Bitwarden master password in your account settings under “Security.”

3. Visit Your Vault

Your vault is where you keep all your most important information secure, including website logins, form fills, and secure notes. Access the vault by clicking the Bitwarden icon in your browser and choosing My Vault.

What you can do with the Bitwarden vault:

Add sites and secure notes.
Search and sort logins into folders easily.
Access your prepopulated auto-form fills.

4. Set Up the Bitwarden Browser Extension

Go here to download Bitwarden software. Then select the items you want — they’re all free. Along with the browser extensions, you may want to get the Bitwarden mobile and desktop apps too.

Download and install the extension for every browser you use.
Next, look for the Bitwarden icon appearing in your browser next to the search bar when it’s active.
Finally, log into Bitwarden through your browser, and it is ready to save new login credentials!

Bitwarden Browser Extensions — Bitwarden has an extension for every browser.

5. Import Existing Passwords

If you’ve been using your browser or another password manager like LastPass to store passwords, you can usually import them into Bitwarden easily.

Export your existing passwords.
Click the “Tools” menu item while logged into your Bitwarden account.
Then click Import data.
Select the appropriate importer from the dropdown menu and follow the prompts to upload your existing passwords into Bitwarden.

If you’re a Mac user, your iCloud Keychain passwords can’t be directly imported due to the security Keychain uses to store data. It’s a nice system but not portable across platforms.

Once you’re no longer using a browser to save and manage your passwords, be sure to turn this feature off in the browser. You’re using Bitwarden for this purpose from now on, and you don’t need your browser to do the same job anymore.

If you’re not sure how to do this, just Google something like How to turn off password saving in Chrome. You can also use your browser’s internal search tool to find these settings.

Bitwarden Import Tool — Easily import existing passwords or migrate from another service like LastPass to Bitwarden.

How to Use Bitwarden to Store and Access Logins and Other Information

Adding Logins to your Bitwarden Vault Automatically

Whenever you log into a website that is not yet saved in LastPass, it will prompt you with a request to add the site to your Bitwarden Vault. Click Add and your login will be saved for future use.
When you register a new account on a website, Bitwarden recognizes this process and will ask you if you want it to store the new login information in your vault.

Automagically filled forms! On most sites, Bitwarden will be able to pre-fill registration information you’ve used before, like your name and address.

Adding Logins, Cards, Identities, and Secure Notes Manually

This is particularly useful to save credentials for the occasional non-standard login form that isn’t recognized by Bitwardens’ automatic detection system.

First, add a site manually by clicking +Add Item in your Bitwarden web account or the +Add icon in the My Vault tab in your browser.
Then select Login as the type of information you want to save and follow the prompts for entering it. You can organize your login credentials in folders if you wish.

Pre-Filling Website Logins

Once your account credentials for a website are stored in Bitwarden, when you visit that site again, the Bitwarden icon will display a notification bubble in your browser that indicates the number of logins you have there.
Click the icon and select your login to pre-fill the login form.

Do you have more than one account on some sites? In cases where you have more than one login for a website saved, you will see a number on the Bitwarden icon indicating how many account credentials for that site exist in your Vault. Click the icon and select which login you’d like to use.

How to Automatically Fill a Form

Set Up Auto-Form Filling

Without opening your Bitwarden browser extension, you can right-click on any kind of form input field on any site to access the Bitwarden > Auto-fill option.
Then, in the Bitwarden Vault, you can select types of saved information in the left menu: Login, Card, Identity, or Secure note, and set up your information under the appropriate type.
You will be able to select this saved information when you encounter a form on the web.

Filling Forms Automatically

Once your information is set up in the Auto-fill settings, Bitwarden will place a form-filling notice below any web form field it can fill.
Next, click that notification, and your form will be filled with the appropriate information from your vault.

Bitwarden may notice you are filling in a form manually and offer to add it to your Auto-Fill records so you don’t have to type it again in the future.

Six Nifty Things You Can Do Once You Set Up Bitwarden

1. Generate a Strong Password

If you ever need to generate a strong password, just go to Tools > Generator in your Bitwarden account or click the Bitwarden icon in your browser and then the password generator icon.

You can define the password length and the kinds of characters that are allowed.

Bitwarden Strong Password Generator — Generate secure passwords with Bitwarden from your browser or apps.

2. Test Your Password Strength

Try Bitwarden’s Password Strength Testing Tool to evaluate any password before you use it. For premium account users, Bitwarden will check the “health” of all the passwords stored in your vault. Their Data Breach report is also free for everyonbe and will tell you if any of your information has been stolen on the web.

Bitwarden Password Strength Test — Test your strength! Your password strength, that is.

3. Start Using Secure Notes

Secure notes allow you to save information other than website logins securely in your Bitwarden Vault.

You can store driver’s license info, passport numbers, and other vital information as a note and also upload attachments like photos for each one.
Since secure notes are accessible on a mobile device as well, this is an excellent way to make your most important information available to you anywhere — securely.
To set up a note, open your Vault and click Secure notes in the left menu. Add as many as you like!

Bitwarden Secure Notes — Secure your notes.

You can share some or all of your saved logins with other users by setting up an Organization and adding (or inviting) other users to join it as Members. To add more than one Member you will need to pay for a higher-tier premium account.

Shared passwords cannot be copied and pasted from Bitwarden.

5. Set Up Emergency Access

What happens to all your online accounts if you get hit by a bus? By giving trusted friends or family emergency access to your LastPass account, you can allow them to access your account after a pre-defined wait time. This is also a premium feature.

In your Bitwarden account, go to Settings > Emergency Access in the left menu.
Next, click the +Add emergency contact button and follow the directions.

Emergency Contacts' Access Settings in Bitwarden — If you’re hit by a bus, your emergency contacts will be able to access your Bitwarden vault.

6. Set Up Two-Factor Authentication for Your Master Password

As an added measure to a strong Master Password, you should really set up two-factor authentication by using Bitwardens’ own authenticator or one of several other industry-standard two-factor authentication options.

To set up two-factor authentication, access your Account Settings, and then choose the Security option on the left and finally the Two-step login tab.
Finally, select your preferred provider(s) and set it up.

Two-step login settings for Bitwarden. — Two-factor authentication for Bitwarden.

Bitwarden Free vs. Premium

As you can see, Bitwarden’s free account has everything you need to securely store and autofill passwords on all your devices, which is where it differs from LastPass. LastPass doesn’t offer multi-device support for free.

Like LastPass and other password managers, Bitwarden does require a paid, premium account to share your passwords and other vault data with more than one person. These come in all kinds of Personal/Non-Business tiers starting at just a few dollars a month. Business plans cost more, as they should: you are paying for security and peace of mind around a critical, potentially show-stopping, business function.

I personally like how Bitwarden makes user access control simple and prominent in its interface. It feels a lot like Dropbox. And when you know you are paying for the users you trust to share your accounts with, you are much more likely to take on the necessary duty of care and manage those users carefully.

We’ve written elsewhere about passkeys replacing passwords to make digital accounts far more secure and simple to access — without any passwords. Passkeys are a brilliant new feature of iThemes Security Pro, which brings them to WordPress sites and their user authentication process. It’s inevitable that more and more people will use things like MacOS’s Keyring with passkeys on devices with a biometric login feature, like all new Apple devices. We’ll use passkeys to log into WordPress sites, our bank accounts, and everything — including our password managers like Bitwarden.

There’s going to be a need to securely store and share passwords and other information — including passkeys — for a long time to come. Lower security sites may not adopt passkeys quickly, but they’re certain to become the standard that replaces passwords. Sharing passkeys across different platforms will require a secure way to manage who has access to what and for how long. We probably will — and surely should — become more focused on access management in the future than we have in the era of passwords. We’ll be able to focus on the who, not the what — the person not a random sequence of characters. Those things, “passwords,” will be gone — and good riddance.

Dan Knauss

Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.

Comments

Shafiq Khan says:

September 21, 2017 at 10:41 am

This looks good … I would really like to use Lastpass, but haven’t they been hit by cyber attacks in the past?

Zander says:

September 21, 2017 at 10:44 am

My concern about password managers like LastPass is the fact that if they get compromised, all of your passwords are out there for the world to see.

Any thoughts on that?

- Dan Knauss says:
  
  January 5, 2023 at 6:13 pm
  
  Yes. Sadly. https://ithemes.com/blog/the-lastpass-security-breach-how-to-protect-yourself/
  
Lawriem says:

September 21, 2017 at 11:52 am

Even though the information is encrypted is there any possibility (any at all) that the site could be hacked and the hackers could obtain passwords?

Richard Roscoe says:

September 21, 2017 at 1:08 pm

I’ve been using LastPass for many years now, it’s a truly invaluable tool and I don’t know where I’d be without it! I’ve you’ve not started using a password manager, give it a go, there will be no looking back!

Andrej says:

September 21, 2017 at 1:45 pm

LastPass is a really great tool and offers perfect functionality even with the free version. And in this tutorial you have showed me what I didn’t know that was even possible with it.

Andrew says:

September 21, 2017 at 3:50 pm

I think its also necessary to mention “form grabbers” and “key loggers” when talking about password managers otherwise people may think that a password manager will solve all their online security issues.
In addition, for a more comprehensive explanation of how to create a password that is easy to remember and complicated to crack: https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/

Craig Brown says:

September 21, 2017 at 5:52 pm

Whenever I set up a new website for a client and create their safe passwords, I email them this information;

NOTES ON PASSWORDS
Passwords should be as long and complex as possible for your own security.
You should never need to type these passwords as it’s easy to make a mistake, instead you should copy and paste them as required.
Using a good password manager software is a good idea so you can keep all your passwords safe in one place and just use one password to unlock them, that way you only ever need to remember one password for all your secure information.
A good Password Manager to use is this one;
http://www.selznick.com/products/passwordwallet/

Remember to backup your password file regularly.

Note that this is not an affiliate link (though I am not averse to transparent affiliation). This is a software company that I respect just as I respect iThemes. Top-notch quality software, service and value.