A plain-English guide for people who don't (and shouldn't have to) think about hackers all day
You can't remember a good, unique password for every account. Nobody can — that's normal. So you hand the job to a heavily-locked digital safe. This guide walks you, calmly and once, from "I reuse the same password" to "I don't have to worry about this anymore."
If you do one thing after reading this: install Bitwarden and set a strong master password. Everything else is detail.
A story you've lived through without noticing.
Imagine you use the same key for your house, your car, your office, your safe-deposit box, and your mailbox — then hand a copy to every shop that asks.
That's exactly what using the same password everywhere is. The danger isn't "will a hacker pick me?" It's "will one of the dozens of companies I trusted get breached?" When one does, criminals take your email + password and automatically try it on your bank, your Amazon, your PayPal — this is called credential stuffing, done by software at massive scale while the attacker sleeps. You're just one row in a spreadsheet of millions.
most
breaches
The #1 way inThe large majority of hacking-related breaches involve stolen or weak passwords — year after year.
Source: Verizon DBIRmost
people
The bad habitSurveys consistently find most people reuse passwords across multiple accounts.
Source: industry surveysbillions
Already out thereBillions of stolen passwords are already on criminal forums and in malware dumps right now.
Source: breach dumpsNo jargon — one super-secure digital safe.
It's one super-secure digital safe. Inside it lives every password you have. You lock it with a single master password — the one and only password you ever have to remember. You go from "I have to remember everything" to "I have to remember one thing."
Visit a site and it recognizes it and fills in your login automatically. No typing.
New account? It makes up a long random password like K7$mq2#vLp9!xQ, saves it, and you never see it again.
New phone, new laptop? Log in once and all your passwords are there.
It fills based on the real web address. If a scam sends you to paypa1-secure.com,
it just won't fill anything in — that silence is a warning sign.
Good managers check your saved passwords against known breaches and say "hey, change this one."
If your manager doesn't offer to fill a login where it normally would, don't dig the password out and paste it by hand. Check the web address first. The whole protection disappears the moment you manually copy-paste around it.
It protects you against the two biggest threats — company breaches and password reuse. But if your device already has malware (a keylogger / infostealer), it can capture your master password as you type. So keep your operating system and browser updated, and don't install pirated or sketchy software. A great lock on a rotten door isn't enough.
It's better than reuse. But it's a closed box you don't hold the key to.
| Feature | Browser built-in (Chrome / Apple) | Bitwarden |
|---|---|---|
| Separate master password | ✗ Not by default — opens with your Google / Apple account | ✓ Yes — one dedicated master password |
| Zero-knowledge (company can't read it) | ✗ No — Google holds the keys; an opt-in on-device option exists but is off by default | ✓ Yes, by design — locked on your device before it ever leaves |
| Works across all platforms | ⚠ Clumsy — happiest inside one ecosystem; mixing gets awkward | ✓ Everywhere — iPhone, Android, Windows, Mac, Linux, every browser |
| Open source & independently audited | ✗ Closed box — you're asked to simply trust it | ✓ Yes — outside firms & university researchers inspect it |
| Extra tools (2FA codes, sharing, emergency access) | ✗ Few — and less transparency | ✓ Yes — 2FA codes, secure sharing, secure notes, emergency access |
| Leave any time (no lock-in) | ⚠ Hostage-ish — data leaves on their terms | ✓ Export anytime — open source, never held hostage |
If Chrome's or Apple's built-in manager is all you ever use, you're already ahead of most people. The honest summary: it's convenient and okay — but it puts all your eggs in one company's basket, keeps the ability to read your stuff, and isn't the dedicated, independently-verified vault your most sensitive data deserves.
"They hold the locked box but never get the key."
Your password is scrambled on your phone or laptop, using your master password as the key.
What leaves your device is already unreadable. The key never goes with it.
8f3a…d91c…Bitwarden stores the locked box but cannot open it — even if they wanted to, or were hacked.
Even in the worst case — Bitwarden gets hacked and criminals steal everything — the thieves get a vault of gibberish, not your passwords. That's zero-knowledge.
In 2022 a different manager, LastPass, was breached — attackers stole copies of users' encrypted vaults. People with strong master passwords were fine; their vaults stayed unreadable scrambles. People with weak ones had their vaults slowly cracked open offline, guessing billions of passwords as fast as the hardware allowed.
Two-factor authentication does NOT help here — the attacker already has the raw encrypted file and never touches a login screen. The takeaway: make your master password a long, random passphrase. That length and randomness is the one thing standing between you and disaster.
Free and genuinely complete (unlimited passwords + devices). Works everywhere — no ecosystem lock-in. Open source and independently audited (including university cryptography researchers). Does the extra safety stuff (2FA codes, breach alerts, secure sharing, emergency access). Optional Premium is about $20/year; Families about $48/year for 6 people — but start free. (Prices as of 2026 — check the pricing page below for the latest.)
Because the company can't read your vault, there's no "forgot password" email. So: pick a
strong passphrase — four or five random words, e.g. velvet-trombone-glacier-pickle-lantern
(don't use that example or any famous one — pick your own random words).
Write it on paper and keep it safe at home, with a second copy in a different safe place.
A burglar at home is a far smaller risk than a hacker on the internet.
Do it once, calmly, in one sitting. Set for years.
In Chrome, open the password settings, find Export passwords, and save the file (Chrome will ask for your computer password — that's normal):
chrome://password-manager/settings
(Browsers don't allow web pages to open chrome:// links directly — so copy this, then paste it into Chrome's address bar yourself.)
In Bitwarden, go to Tools → Import data, pick the Chrome / Chromium source, and upload that file. (Menu labels shift now and then — the official import guide has current screenshots.)
Save it only to a simple local folder like your Desktop — never a cloud-synced folder (OneDrive, iCloud, Google Drive, Dropbox) and never a USB stick. The moment the import is confirmed: delete it and empty your Recycle Bin / Trash.
Emptying the Trash doesn't truly erase data — it can linger until overwritten. So do export → import → delete in one sitting, and it helps a lot if your drive is encrypted (BitLocker on Windows, FileVault on Mac — worth turning on anyway).
Otherwise two managers will fight to fill your logins.
That little shield icon near your address bar is the part you'll use every day. It logs you in, offers to save new logins, generates strong passwords on "create password" fields, can be pinned for easy access, and auto-locks after inactivity (asking for your master password or fingerprint to reopen). The phone app works the same way. Full breakdown in section 6 below.
Your vault is now the most valuable thing on your computer. In Settings → Security, turn on two-step login (2FA) — a second lock, so even a stolen master password isn't enough. Pick your method wisely:
Use it normally; let it auto-fill. Then do the most valuable habit of all:
Whenever you log into an important account, change that password to a new random one Bitwarden generates. Do your most important accounts first — email above all, because your email can reset every other password you own. Fix the top 5 this week; the rest happen naturally over time.
The little shield you'll touch every day.
An icon appears inside the login boxes. Click, pick your account, both fields fill instantly.
Sign up somewhere new and it pops up "Save this login?" — click Save, it's in your vault forever.
On any "create password" field, click the icon → Generate. Long random one, filled and saved in one click.
Click your browser's puzzle-piece icon and "pin" Bitwarden so the shield is always visible.
Locks itself after inactivity. Reopening needs your master password (or fingerprint/face).
The future is arriving — gradually.
You'll increasingly see "passkeys" or "sign in without a password." Your phone or laptop proves it's you with a fingerprint or face — there's no password to steal or phish at all, and accounts using them are dramatically harder to break into.
So why are you still doing all this? Passkeys are rolling out gradually — today only some sites support them, and most still use passwords (and will for years). You need a good system for both. Good news: Bitwarden stores and syncs your passkeys too, across all your devices — so you're not locked into one phone brand. Say yes when a site offers one; managers and passkeys aren't rivals.
Tap a question to open it.
Yes — and that's the point. The choice isn't "one door vs. zero doors." It's "one extremely well-defended door that you control, vs. 200 flimsy doors scattered across companies you've never heard of." One strong master password + two-factor beats reused passwords every single time. You're concentrating risk into the one place you can actually make strong.
You're not trapped. You can export your entire vault at any moment, and because Bitwarden is open source, the apps keep working and the community can keep them alive. Worst case, you import your export into another manager in ten minutes. Compare that to a closed system where your data leaves on the company's terms, not yours.
If you live entirely inside one ecosystem and only ever use that brand's devices and browser, it's a defensible middle ground — better than reuse. But you lose cross-platform freedom, independent auditability, and a true zero-knowledge guarantee, and you tie your whole vault to that one account. Bitwarden gives you all of that and still stores your passkeys. You don't have to choose.
Don't panic — this is exactly what the recovery code is for. The order is:
This is why the recovery code on paper (stored separately from your master password) is non-negotiable.
If you remember nothing else, remember this.
You don't have to become a security expert. You just have to move your keys into a proper safe. Twenty minutes today buys you years of "I don't have to worry about this anymore."
A "maybe later" project for tinkerers — not part of the normal switch.
Normally your encrypted vault lives on Bitwarden's servers. Some advanced users prefer to run the server themselves, on a little computer at home, using Vaultwarden — a lightweight community-built server that works with all the normal Bitwarden apps.
Important clarification: self-hosting does not change the encryption model. Your vault is encrypted on your device either way — Bitwarden's cloud can't read it, and your own server can't read it either. What changes is who runs the server you depend on — that brings new responsibilities, not new encryption magic.
The sane path: start with regular Bitwarden (the cloud version) today — it's already zero-knowledge. If months from now you've gotten comfortable and enjoy tinkering with home servers, then explore Vaultwarden as a project. There's no rush, and you lose nothing by waiting.