A plain-English guide for people who don't (and shouldn't have to) think about hackers all day
+You can't remember a good, unique password for every account. Nobody can — that's + normal. So you hand the job to a heavily-locked digital safe. This guide walks you, + calmly and once, from "I reuse the same password" to "I don't have to worry about this anymore."
+ + +If you do one thing after reading this: install Bitwarden and set a strong master password. Everything else is detail.
+A story you've lived through without noticing.
+Imagine you use the same key for your house, your car, your office, your safe-deposit box, and your mailbox — then hand a copy to every shop that asks.+
That's exactly what using the same password everywhere is. The danger isn't + "will a hacker pick me?" It's "will one of the dozens of companies I trusted get + breached?" When one does, criminals take your email + password and automatically + try it on your bank, your Amazon, your PayPal — this is called credential stuffing, + done by software at massive scale while the attacker sleeps. You're just one row in a spreadsheet of millions.
+The large majority of hacking-related breaches involve stolen or weak passwords — year after year.
+ Source: Verizon DBIR +Surveys consistently find most people reuse passwords across multiple accounts.
+ Source: industry surveys +Billions of stolen passwords are already on criminal forums and in malware dumps right now.
+ Source: breach dumps +No jargon — one super-secure digital safe.
+It's one super-secure digital safe. Inside it lives every password you have. You lock + it with a single master password — the one and only password you ever have to remember. + You go from "I have to remember everything" to "I have to remember one thing."
+Visit a site and it recognizes it and fills in your login automatically. No typing.
+New account? It makes up a long random password like K7$mq2#vLp9!xQ, saves it, and you never see it again.
New phone, new laptop? Log in once and all your passwords are there.
+It fills based on the real web address. If a scam sends you to paypa1-secure.com,
+ it just won't fill anything in — that silence is a warning sign.
Good managers check your saved passwords against known breaches and say "hey, change this one."
+If your manager doesn't offer to fill a login where it normally would, don't dig the + password out and paste it by hand. Check the web address first. The whole protection + disappears the moment you manually copy-paste around it.
+It protects you against the two biggest threats — company breaches and password reuse. + But if your device already has malware (a keylogger / infostealer), it can capture your master + password as you type. So keep your operating system and browser updated, and don't install + pirated or sketchy software. A great lock on a rotten door isn't enough.
+It's better than reuse. But it's a closed box you don't hold the key to.
+| Feature | +Browser built-in (Chrome / Apple) | +Bitwarden | +
|---|---|---|
| Separate master password | +✗ Not by default — opens with your Google / Apple account | +✓ Yes — one dedicated master password | +
| Zero-knowledge (company can't read it) | +✗ No — Google holds the keys; an opt-in on-device option exists but is off by default | +✓ Yes, by design — locked on your device before it ever leaves | +
| Works across all platforms | +⚠ Clumsy — happiest inside one ecosystem; mixing gets awkward | +✓ Everywhere — iPhone, Android, Windows, Mac, Linux, every browser | +
| Open source & independently audited | +✗ Closed box — you're asked to simply trust it | +✓ Yes — outside firms & university researchers inspect it | +
| Extra tools (2FA codes, sharing, emergency access) | +✗ Few — and less transparency | +✓ Yes — 2FA codes, secure sharing, secure notes, emergency access | +
| Leave any time (no lock-in) | +⚠ Hostage-ish — data leaves on their terms | +✓ Export anytime — open source, never held hostage | +
If Chrome's or Apple's built-in manager is all you ever use, you're already ahead of most people. + The honest summary: it's convenient and okay — but it puts all your eggs in one company's basket, + keeps the ability to read your stuff, and isn't the dedicated, independently-verified vault your most sensitive data deserves.
+"They hold the locked box but never get the key."
+Your password is scrambled on your phone or laptop, using your master password as the key.
+What leaves your device is already unreadable. The key never goes with it.
+ 8f3a…d91c…Bitwarden stores the locked box but cannot open it — even if they wanted to, or were hacked.
+Even in the worst case — Bitwarden gets hacked and criminals steal everything — + the thieves get a vault of gibberish, not your passwords. That's zero-knowledge.
+In 2022 a different manager, LastPass, was breached — attackers stole copies of users' encrypted vaults. + People with strong master passwords were fine; their vaults stayed unreadable scrambles. People with + weak ones had their vaults slowly cracked open offline, guessing billions of passwords as fast + as the hardware allowed.
+Two-factor authentication does NOT help here — the attacker already has the raw encrypted + file and never touches a login screen. The takeaway: make your master password a long, random + passphrase. That length and randomness is the one thing standing between you and disaster.
+Free and genuinely complete (unlimited passwords + devices). Works everywhere — no + ecosystem lock-in. Open source and independently audited (including university cryptography + researchers). Does the extra safety stuff (2FA codes, breach alerts, secure sharing, emergency access). + Optional Premium is about $20/year; Families about $48/year for 6 people — but + start free. (Prices as of 2026 — check the pricing page below for the latest.)
+Because the company can't read your vault, there's no "forgot password" email. So: pick a
+ strong passphrase — four or five random words, e.g. velvet-trombone-glacier-pickle-lantern
+ (don't use that example or any famous one — pick your own random words).
+ Write it on paper and keep it safe at home, with a second copy in a different safe place.
+ A burglar at home is a far smaller risk than a hacker on the internet.
Do it once, calmly, in one sitting. Set for years.
+In Chrome, open the password settings, find Export passwords, and save the file + (Chrome will ask for your computer password — that's normal):
+chrome://password-manager/settings
+
+ (Browsers don't allow web pages to open chrome:// links directly — so copy this, then paste it into Chrome's address bar yourself.)
In Bitwarden, go to Tools → Import data, pick the Chrome / Chromium source, and + upload that file. (Menu labels shift now and then — the official import guide has current screenshots.)
+Save it only to a simple local folder like your Desktop — never a cloud-synced + folder (OneDrive, iCloud, Google Drive, Dropbox) and never a USB stick. The moment the import is + confirmed: delete it and empty your Recycle Bin / Trash.
+Emptying the Trash doesn't truly erase data — it can linger until overwritten. So do + export → import → delete in one sitting, and it helps a lot if your drive is + encrypted (BitLocker on Windows, FileVault on Mac — worth turning on anyway).
+Otherwise two managers will fight to fill your logins.
+That little shield icon near your address bar is the part you'll use every day. It logs you in, + offers to save new logins, generates strong passwords on "create password" fields, can be + pinned for easy access, and auto-locks after inactivity (asking for your master password + or fingerprint to reopen). The phone app works the same way. Full breakdown in section 6 below.
+Your vault is now the most valuable thing on your computer. In Settings → Security, + turn on two-step login (2FA) — a second lock, so even a stolen master password isn't enough. Pick your method wisely:
+Use it normally; let it auto-fill. Then do the most valuable habit of all:
+Whenever you log into an important account, change that password to a new random one Bitwarden + generates. Do your most important accounts first — email above all, because your email can + reset every other password you own. Fix the top 5 this week; the rest happen naturally over time.
+The little shield you'll touch every day.
+An icon appears inside the login boxes. Click, pick your account, both fields fill instantly.
+Sign up somewhere new and it pops up "Save this login?" — click Save, it's in your vault forever.
+On any "create password" field, click the icon → Generate. Long random one, filled and saved in one click.
+Click your browser's puzzle-piece icon and "pin" Bitwarden so the shield is always visible.
+Locks itself after inactivity. Reopening needs your master password (or fingerprint/face).
+The future is arriving — gradually.
+You'll increasingly see "passkeys" or "sign in without a password." Your phone or laptop proves it's + you with a fingerprint or face — there's no password to steal or phish at all, and accounts using + them are dramatically harder to break into.
+So why are you still doing all this? Passkeys are rolling out gradually — today only some sites + support them, and most still use passwords (and will for years). You need a good system for both. + Good news: Bitwarden stores and syncs your passkeys too, across all your devices — so you're not + locked into one phone brand. Say yes when a site offers one; managers and passkeys aren't rivals.
+Tap a question to open it.
+Yes — and that's the point. The choice isn't "one door vs. zero doors." It's + "one extremely well-defended door that you control, vs. 200 flimsy doors scattered across + companies you've never heard of." One strong master password + two-factor beats reused passwords + every single time. You're concentrating risk into the one place you can actually make strong.
+You're not trapped. You can export your entire vault at any moment, and because Bitwarden is + open source, the apps keep working and the community can keep them alive. Worst case, you import + your export into another manager in ten minutes. Compare that to a closed system where your data leaves + on the company's terms, not yours.
+If you live entirely inside one ecosystem and only ever use that brand's devices and browser, + it's a defensible middle ground — better than reuse. But you lose cross-platform freedom, independent + auditability, and a true zero-knowledge guarantee, and you tie your whole vault to that one account. + Bitwarden gives you all of that and still stores your passkeys. You don't have to choose.
+Don't panic — this is exactly what the recovery code is for. The order is:
+This is why the recovery code on paper (stored separately from your master password) is non-negotiable.
+If you remember nothing else, remember this.
+You don't have to become a security expert. You just have to move your keys into a + proper safe. Twenty minutes today buys you years of "I don't have to worry about this anymore."
+A "maybe later" project for tinkerers — not part of the normal switch.
+Normally your encrypted vault lives on Bitwarden's servers. Some advanced users prefer to run the + server themselves, on a little computer at home, using + Vaultwarden — + a lightweight community-built server that works with all the normal Bitwarden apps.
+Important clarification: self-hosting does not change the encryption model. Your vault is + encrypted on your device either way — Bitwarden's cloud can't read it, and your own server can't + read it either. What changes is who runs the server you depend on — that brings new + responsibilities, not new encryption magic.
+The sane path: start with regular Bitwarden (the cloud version) today — + it's already zero-knowledge. If months from now you've gotten comfortable and enjoy tinkering with home + servers, then explore Vaultwarden as a project. There's no rush, and you lose nothing by waiting.
+