tutorials/bitwarden-switch/password-manager-tutorial.md

Your Passwords Are the Keys to Your Whole Life — Let's Protect Them Properly

A plain-English guide for normal humans who don't (and shouldn't have to) think about hackers all day.

---

Read this first (the 30-second version)

1. You cannot remember a good, unique password for every account. Nobody can. That's normal.
2. So you need a password manager — a single, heavily-locked digital safe that remembers them all for you.
3. Your browser (Chrome / Google) has one built in. It's better than nothing, but it has real weaknesses, and it ties your entire digital life to one Google account.
4. The recommendation: move to Bitwarden. It's free, it works on everything, and it's built so that even the company itself cannot read your passwords.
5. (For the nerds and "maybe later" crowd: you can even run your own private version called Vaultwarden. Skip that part for now — it's optional and at the very end.)

If you only do one thing after reading this: install Bitwarden and set a strong master password. Everything else is detail.

---

Part 1 — Why this matters (a story you've lived through without noticing)

Imagine you use the same key for your house, your car, your office, your safe-deposit box, and your mailbox. Convenient! One key, never locked out.

Now imagine you hand a copy of that key to the pizza place, the gym, that random webshop you bought socks from in 2019, and a forum you forgot you joined. You had to — they all asked for a key to let you in.

That's exactly what using the same password everywhere is.

Here's the part people don't see: companies get hacked constantly. Not because you did anything wrong — because they got broken into. When that happens, the criminals walk away with a giant list of email addresses and passwords. Then they do something simple and automatic: they take your email + password from the sock shop and try it on your email, your bank, your Amazon, your PayPal.

This is called credential stuffing, and it's done by software, at massive scale, while the attacker sleeps. They aren't targeting you personally. You're just one row in a spreadsheet of millions.

The numbers are genuinely bad:

• The large majority of hacking-related breaches involve stolen or weak credentials — year after year, this is the #1 way in. (Verizon's annual Data Breach Investigations Report is the standard source security people quote for this.)
• Surveys consistently find most people reuse passwords across multiple accounts.
• Billions of stolen passwords are already circulating on criminal forums and in malware dumps.

So the danger isn't "will a hacker pick me?" The danger is "will one of the dozens of companies I trusted get breached?" — and the honest answer is: it's already happened, probably more than once.

The fix is boring and incredibly effective: every account gets its own unique, long password. Then a breach at the sock shop stays at the sock shop. It can't spread.

But you can't memorize 200 different long passwords. So we let a machine do it.

---

Part 2 — What a password manager actually is (no jargon)

A password manager is one super-secure digital safe. Inside it lives every password you have. You lock the safe with a single master password — the one and only password you ever have to remember.

Day to day, it just... works:

• You go to a website. The password manager recognizes it and fills in your login automatically.
• New account? It invents a long random password for you (like K7$mq2#vLp9!xQ), saves it, and you never even see it again.
• New phone, new laptop? Log in once, and all your passwords are there.

You go from "I have to remember everything" to "I have to remember one thing."

Two side benefits that matter more than people expect:

• It helps protect you from fake websites. A password manager fills your password based on the real web address. If a scam email sends you to paypa1-secure.com instead of paypal.com, your manager just... won't fill anything in. That silence is a warning sign. ⚠️ Important habit: if your manager doesn't offer to fill in a login on a site where it normally would, stop — don't dig your password out and paste it in by hand. Check the web address first. The whole protection disappears the moment you manually copy-paste around it.
• It tells you when you've been exposed. Good managers can check your saved passwords against known breaches and say "hey, change this one."

One honest limit — please read this

A password manager protects you against the two biggest everyday threats: company breaches and password reuse. It does not make your device magic-proof.

If your computer or phone is already infected with malware (a keylogger, an "infostealer"), that malware can capture your master password as you type it and read your vault once it's unlocked — and no password manager on earth can stop that. So the basics still matter: keep your operating system and browser updated, and don't install pirated or sketchy software. Think of your device itself as part of the safe; a great lock on a rotten door isn't enough.

---

Part 3 — "But Chrome already saves my passwords. Isn't that the same thing?"

Great question, and this is where most people stop thinking — so let's go one step further.

Yes, Google Password Manager (the thing built into Chrome and Android) is a real password manager, and using it is far better than reusing one password everywhere. If that's all you ever do, you're already ahead of most people. Credit where it's due. (The same general pros and cons apply to Apple's built-in iCloud Keychain on iPhones/Macs — convenient, but tied to one ecosystem.)

But the browser-built-in managers have some specific, important weaknesses:

1. Your entire vault is only as safe as your Google account

With Chrome's built-in manager, there is no separate master password by default. Whoever can get into your Google account can typically see every saved password. So your Google login becomes the single key to your entire digital life — email, photos, passwords, everything — all behind one door.

If someone phishes that one Google password, or you're left logged in on a shared/stolen computer, the whole vault can be exposed at once.

2. Google can technically access your passwords

By default, your passwords are stored in a way where Google itself holds the keys. They promise not to look, and they're a serious company — but the capability exists. They can be compelled by a court, or it could be exposed in an internal mistake. (Google does offer an optional "on-device encryption" setting that fixes much of this — but it's off by default, most people never turn it on, and it comes with its own "if you forget it, your data is gone forever" tradeoff that isn't well explained.)

Compare that to the gold standard, which we'll get to: a vault designed so the company literally cannot read your data even if they wanted to.

3. It really wants you to live inside Google's world

Chrome's manager is happiest on Chrome and Android (and Apple's is happiest on iPhones and Macs). The moment you mix ecosystems — an iPhone with a Windows PC, Firefox, a desktop app — or just want to leave someday, things get clumsy. Your passwords become a bit of a hostage.

4. Fewer safety tools, less transparency

A dedicated manager gives you things the browser ones don't do well: storing your two-factor login codes, secure sharing with family, secure notes, emergency access if something happens to you. And critically — the leading dedicated managers are open source, meaning independent security experts can inspect exactly how they work. The browser ones are closed boxes; you're asked to simply trust them.

The honest summary: the browser's built-in manager is convenient and okay. But it puts all your eggs in one company's basket, it keeps the ability to read your stuff, and it's not built to be the dedicated, locked-down, independently-verified vault that your most sensitive data deserves.

---

Part 4 — Why Bitwarden is the recommendation

Bitwarden is a dedicated password manager built around one powerful idea: the company cannot see your passwords.

Here's the key concept in one sentence: everything is locked on your device, with your master password, before it ever travels to their servers. The stuff sitting on Bitwarden's computers is just an unreadable scramble. This is called zero-knowledge and end-to-end encryption — fancy terms for "they hold the locked box but never get the key."

Why this is a big deal: even in the worst case — Bitwarden gets hacked and criminals steal everything — the thieves get a vault of gibberish, not your passwords.

The LastPass lesson (why your master password's strength is everything)

In 2022 a different password manager, LastPass, got badly breached — attackers stole copies of users' encrypted vaults. Here's the crucial part for you:

• People with strong master passwords were fine. Their stolen vaults were unreadable scrambles.
• But once attackers have a stolen vault, they can try to crack it offline, on their own machines, guessing billions of master passwords as fast as their hardware allows. People with weak master passwords had their vaults slowly cracked open.
• Two-factor authentication does NOT help in this specific scenario — the attacker already has the raw encrypted file and never touches the login screen.

The takeaway: in a breach, the length and randomness of your master password is the one thing standing between you and disaster. That's why we make it a long passphrase (below). This is also why "encrypt everything" matters — in the LastPass case, some data (like the website addresses in each vault) wasn't encrypted, which is exactly the kind of leak a fully-encrypted design avoids.

Why Bitwarden specifically

• It's free, and the free version is genuinely complete. Unlimited passwords, unlimited devices, phone + computer + every browser. Most people never need to pay.
• It works everywhere. iPhone, Android, Windows, Mac, Linux, Chrome, Firefox, Safari, Edge. You are not locked into anyone's ecosystem.
• It's open source and independently audited. Outside security firms — including university cryptography researchers — regularly inspect it. You're not asked to "just trust us"; the locks are inspectable.
• It does the extra safety stuff. Two-factor codes, breach alerts, secure sharing with family, secure notes, emergency access.
• No lock-in. You can export your whole vault anytime, and because it's open source, your data is never held hostage (more on "what if the company dies?" in the FAQ below).
• Optional paid tier is cheap — about $20/year for Premium (adds built-in two-factor codes, encrypted file storage, vault health reports, emergency access). Families is about $48/year for 6 people. But again: start free. You can upgrade later or never. (Prices as of 2026 — check bitwarden.com/pricing for the latest.)

The one rule you must not break

Because Bitwarden can't see your passwords, Bitwarden also cannot recover your master password for you. There's no "forgot password" email that gets you back in. That's the price of real security.

So:

• Pick a strong master password you can actually remember. A great trick: use a passphrase — four or five random words strung together, like velvet-trombone-glacier-pickle-lantern. Long, memorable, very hard to crack. ⚠️ Don't use that example or any famous one — pick your own random words (ideally let a generator or dice choose them, not words that mean something about you).
• Write it down on paper and keep it somewhere safe at home (a drawer, a safe). Yes, paper. A burglar in your house is a far smaller risk than a hacker on the internet. Keep a second copy in a different safe place (a relative's house, a bank box) — because if your only copy is lost in a fire or a move, even you can't get back in.
• Turn on two-factor authentication for your account (we'll do this in the setup steps). And consider setting up Bitwarden's Emergency Access, which lets a trusted person request access to your vault after a waiting period if something happens to you.

---

Part 5 — How to switch (step by step, ~20 minutes)

Take your time. Do it once, do it calmly, in one sitting, and you're set for years.

Step 1 — Create your Bitwarden account

1. Go to bitwarden.com and sign up (free).
2. Choose your master password — make it a long, random passphrase (see above).
3. Write it down on paper and store it safely (and make that second copy).
4. Heads up: in a few steps we'll turn on two-factor authentication. It's not optional polish — plan to do it today.

Step 2 — Install Bitwarden where you'll use it

• Browser extension on your computer (Chrome, Firefox, Edge, Safari) — this is the one that auto-fills logins.
• App on your phone (App Store / Google Play) — so it follows you everywhere.

Step 3 — Move your existing passwords over

1. In Chrome, go to the password settings (chrome://password-manager/settings), find Export passwords, and save the file. Chrome will ask for your computer password — that's normal and expected.
   • ⚠️ This file is a plain, unprotected list of every password you own. Save it to a simple local folder like your Desktop — not into any folder that syncs to the cloud (OneDrive, iCloud, Google Drive, Dropbox) and never onto a USB stick. It must not leave this computer.
2. In Bitwarden (the desktop app or vault.bitwarden.com), go to Tools → Import data, pick the Chrome / Chromium option as the source, and upload that file.
   • The exact menu labels change now and then. If your screen looks a little different, the official Bitwarden import guide has current screenshots.
3. Verify the import worked before you delete anything. Open Bitwarden and check that your most important logins — email, bank, main shopping accounts — are actually there and the passwords are correct. Imports can occasionally drop or mangle entries, so confirm with your own eyes.

Step 4 — ⚠️ Destroy the leftover export file (don't skip this!)

Now that you've confirmed the import, get rid of that plaintext file: delete it and empty your Recycle Bin / Trash.

Be aware of an uncomfortable truth: emptying the Trash doesn't truly erase the data — it can linger on the disk until overwritten. That's exactly why the rules above matter so much: the file should never have left this computer, and it helps a lot if your device's drive is encrypted (BitLocker on Windows, FileVault on Mac — both worth turning on anyway). Do the whole export → import → delete in one sitting so the file exists for as short a time as possible.

Step 5 — Turn OFF Chrome's password saving

Otherwise you'll have two managers fighting to fill in your logins.

1. In Chrome's password settings, turn off "Offer to save passwords."
2. Only after you've used Bitwarden successfully for a week and trust that everything's there — then delete the passwords stored in Chrome. (No rush. Two managers holding the same passwords for a week hurts nothing.)

Step 6 — Meet your new browser extension (this is where the magic happens)

The Bitwarden browser extension is that little shield icon up near your address bar. It's the part you'll actually interact with every day, so here's exactly what it does:

• Logging in: Visit a site you've saved. A small Bitwarden icon appears inside the username/password boxes, often with a little number badge (how many saved logins match this site). Click it, pick your account, and both fields fill instantly. No typing.
• Saving new logins: Sign up for something new and type a password? When you submit, the extension pops up a bar asking "Save this login?" — click Save and it's in your vault forever.
• Inventing strong passwords: On any "create password" field, click the Bitwarden icon → Generate password. It produces a long random one, fills it in, and saves it — all in one click. You never see or remember it; you don't need to.
• Pinning it for easy access: Click your browser's puzzle-piece/extensions icon and "pin" Bitwarden so the shield is always visible.
• Auto-lock: The extension locks itself after a period of inactivity (you set how long). When locked, it asks for your master password (or your fingerprint/face on a supported device) to open back up — so a stranger at your unattended laptop can't just read your vault.

The phone app works the same way: when an app or website asks you to log in, Bitwarden offers to fill it in for you from the keyboard or a pop-up.

Step 7 — Lock down your Bitwarden account (do all of these)

Your vault is now the single most valuable thing on your computer, so let's make the safe itself bulletproof. In Bitwarden's Settings → Security:

• Turn on two-step login (two-factor authentication). Think of it as a second lock — like the code your bank texts you, but better. Even if someone steals or guesses your master password, they still need this second factor. Pick your method wisely:
  • ✅ Best (free): an authenticator app (like Aegis, or Bitwarden's own Authenticator) that generates a 6-digit code on your phone. Use this as your default.
  • ✅ Strongest: a hardware security key (like a YubiKey) — supported on the paid plan. This is the only kind that's truly phishing-proof (more below).
  • ⚠️ Avoid SMS text-message codes where possible — they can be hijacked.
  • ⚠️ Don't use email codes for Bitwarden specifically. Here's the trap: if your email password lives in Bitwarden, and your Bitwarden second factor is an email code, then losing access to one locks you out of the other — a circular deadlock. Your email is the crown jewel; don't tie your vault's lock to it.
• Save your two-factor recovery code — and store it SEPARATELY from your master password. When you enable two-step login, Bitwarden shows a one-time recovery code that gets you back in if you lose your phone/authenticator. Write it down — but keep it in a different place from your master password. ⚠️ If both sit on the same slip of paper in the same drawer, anyone who finds it has everything, and your second lock protected nothing. The whole point of a second factor is that it lives somewhere separate.
• Set a sensible auto-lock / log-out timeout so the vault locks itself when you walk away.
• Never reuse your master password anywhere else. It protects everything; it must be unique to Bitwarden.
• Be suspicious of master-password prompts. The only places that should ever ask for your Bitwarden master password are the official Bitwarden app, extension, or the real bitwarden.com. If an email or random website asks for it, it's a scam — close it. (Be aware: a convincing fake login page can capture both your master password and an app/SMS code in real time. That's why a hardware key — which simply refuses to work on the wrong website — is the gold standard.)
• Keep an encrypted backup (optional but smart). Occasionally use Tools → Export vault and choose an encrypted / password-protected export — never the plain CSV from Step 3 — and store it somewhere safe. This is your safety net against an accidental deletion or lockout.

The "paper safe" rule of thumb: master password and 2FA recovery code both belong on paper, stored at home — but in two different places, never together. Lose both and even you can't get back in; that's the same property that keeps hackers out.

Step 8 — Live with it for a week, then level up

Use it normally. Let it auto-fill. Then, when you're comfortable, do the most valuable habit of all:

Whenever you log into an important account (email, bank, etc.), change that password to a new random one that Bitwarden generates. Do your most important accounts first — email above all, because your email can reset every other password you own.

You don't have to fix all 200 accounts in a day. Fix the top 5 this week. The rest happen naturally over time as you log in.

---

Part 6 — A quick word on passkeys (the future is arriving)

You'll increasingly see websites offer "passkeys" or "sign in without a password." This is a newer, genuinely better technology where your phone or laptop proves it's you (with your fingerprint or face) and there's no password to steal or phish at all. Even the big tech companies report accounts protected by passkeys are dramatically harder to break into.

"So if passkeys are replacing passwords, why am I doing all this?" Fair question. The honest answer: passkeys are rolling out gradually. Today only some sites support them; the vast majority still use passwords, and will for years. You need a good system for both — and you want one place that handles both so you're not juggling. So:

• Passkeys are a good thing; say yes when a site offers one.
• Bitwarden can store and sync your passkeys too, across all your devices — so you're not locked into one phone brand. This is yet another reason a dedicated manager beats the browser default.

Password managers and passkeys aren't rivals. For years to come you'll have a mix of both, and Bitwarden handles both in one place.

---

Part 7 — Common worries (the skeptic's FAQ)

"Isn't Bitwarden now a single point of failure? One password to rule them all?" Yes — and that's the point. The choice isn't "one door vs. zero doors." It's "one extremely well-defended door that you control, vs. 200 flimsy doors scattered across companies you've never heard of." One strong master password + two-factor beats reused passwords every single time. You're concentrating risk into the one place you can actually make strong.

"What if Bitwarden the company goes out of business?" You're not trapped. You can export your entire vault at any moment, and because Bitwarden is open source, the apps keep working and the community can keep them alive. Worst case, you import your export into another manager in ten minutes. (And the truly independent crowd can run the open-source server themselves — see below.) Compare that to a closed system where your data leaves on the company's terms, not yours.

"Why not just use Apple/Google's built-in one plus passkeys and call it a day?" If you live entirely inside one ecosystem and only ever use that brand's devices and browser, it's a defensible middle ground — better than reuse. But you lose cross-platform freedom, independent auditability, and a true zero-knowledge guarantee, and you tie your whole vault to that one account. Bitwarden gives you all of that and still stores your passkeys. You don't have to choose.

"What happens if I lose my phone (which is my authenticator)?" Don't panic — this is exactly what the recovery code is for. The order is:

1. From any computer, go to bitwarden.com and log in with your master password.
2. When it asks for the two-factor code you can't produce, choose the "use recovery code" option and enter the recovery code you wrote on paper.
3. You're in. Now go to Settings → Security, remove the old authenticator, and set up two-factor again on your new phone. This is why the recovery code on paper (stored separately from your master password) is non-negotiable.

---

Part 8 — For the curious / "maybe later" crowd: self-hosting with Vaultwarden

Skip this entire section if you're new. It is not required, and doing it wrong is worse than not doing it at all. This is here so you know the path exists.

Normally your encrypted vault lives on Bitwarden's servers. Some advanced users prefer to run the server themselves, on a little computer at home, so their (still-encrypted) vault never touches anyone else's machine. The popular tool for this is Vaultwarden — a lightweight, community-built server that works with all the normal Bitwarden apps.

First, an important clarification: self-hosting does not change the encryption model. Your vault is encrypted on your device either way — Bitwarden's cloud can't read it, and your own server can't read it either. What self-hosting changes is who runs the server you depend on — and that brings new responsibilities, not new encryption magic.

Why someone might want this:

• Total ownership — your data sits on hardware you control.
• No dependence on a company's decisions or outages.
• It's free and very light on resources.

Why it is NOT a beginner move — the honest tradeoffs:

• You become the IT department. Updates, backups, security, and keeping it online are now your job, forever. If your home server dies and you didn't back up, your vault can be gone.
• Backups need protecting too. A backup of the encrypted vault database is relatively safe, but the server's admin token, config/environment files, and TLS keys are sensitive — back them up securely and test that your backups actually restore.
• It hasn't had the same formal security audits as official Bitwarden. The official Bitwarden servers are professionally run, audited, and monitored 24/7. Your home setup is run by... you.
• Exposing it to the internet adds an attack surface. Even though a server compromise still can't decrypt your vault (the encryption is on your device), an attacker who took over your server could serve you a booby-trapped login page that captures your master password when you sign in — or simply knock your access offline. You'd need to keep the server, its reverse proxy, and its TLS certificates patched and correctly configured.
• A mistake locks you out, the same way a company's mistake can — except now there's no support team to call.

The sane path: Start with regular Bitwarden (the cloud version) today. It's already zero-knowledge — Bitwarden can't read your vault either way. If, months from now, you've gotten comfortable and you enjoy tinkering with home servers, then explore Vaultwarden as a project. There's no rush, and you lose nothing by waiting.

---

The whole thing, in one breath

• Reusing passwords is the #1 way ordinary people get hacked — because companies get breached, not you personally.
• A password manager fixes it by giving every account its own strong password, behind one master password you remember.
• Browser built-in managers (Chrome, Apple) are okay but tie everything to one account and keep the keys to your data.
• Bitwarden is free, works everywhere, and is built so nobody but you — not even Bitwarden — can read your passwords.
• Make your master password a long random passphrase, write it on paper (two copies, kept safe), turn on app-based two-factor, store the recovery code separately, and change your most important passwords first.
• A password manager can't save an already-infected device — keep your computer and phone clean and updated too.
• Passkeys are a great bonus and Bitwarden handles them too.
• Self-hosting (Vaultwarden) is a cool later project for tinkerers — not a starting point.

You don't have to become a security expert. You just have to move your keys into a proper safe. Twenty minutes today buys you years of "I don't have to worry about this anymore."

---

Sources & further reading

• Breach attribution & credential theft — Verizon Data Breach Investigations Report (DBIR)
• Check if your own email/passwords have leaked — Have I Been Pwned
• Google Password Manager limitations — Keeper Security, Hideez
• Bitwarden security model & audits — Bitwarden Security Whitepaper, ETH Zurich cryptography audit
• LastPass breach lessons — UpGuard, Wikipedia
• Importing into Bitwarden — Bitwarden Help
• Bitwarden pricing — bitwarden.com/pricing
• Passkeys — FIDO Alliance, Microsoft World Passkey Day
• Vaultwarden — GitHub: dani-garcia/vaultwarden