Password Manager Setup in Under 20 Minutes
A password manager is the single most impactful security tool available to most individuals. Setting one up from scratch takes considerably less time than most people assume and immediately makes online accounts both more secure and easier to access.
Choosing a password manager
The four most widely recommended options for household use are Bitwarden (free, open source, independently security-audited), 1Password (paid, excellent family plan), Proton Pass (free tier, privacy-focused with Swiss data jurisdiction), and Apple Keychain (built into Apple devices, free, excellent iOS and macOS integration). For most individuals, Bitwarden's free tier or Apple Keychain — depending on their device ecosystem — provides everything necessary at no cost.
The selection criteria are practical: does it run on all your devices (phone, laptop, tablet), does it integrate with your primary browser, and does the provider have a credible security track record? All four of the options above have strong security records, support major platforms and browsers, and require no ongoing active security management from the user once set up.
Creating the master password
The master password must be strong — it is the only password requiring active memorisation, and it protects every other credential stored in the vault. A passphrase rather than a password is the recommended approach: four to five random, unrelated words create a string that is both long enough to be cryptographically strong and memorable enough to recall without writing it down in insecure locations.
Write the master password on paper immediately after creating it and store it in a physically secure location — a drawer at home, a document held by a trusted person, or a safe. This is not a security risk; it is an essential recovery provision. Losing the master password to a vault containing hundreds of credentials is a severe problem with no easy remedy, and physical paper backup prevents it.
Importing existing passwords
Most password managers allow bulk import of existing saved passwords from browsers and other managers in CSV format. The process: export passwords to CSV from the browser's password settings (available in Chrome, Safari, and Firefox under their respective settings menus), then import the CSV file through the password manager's web vault or desktop app. This takes five to ten minutes and immediately populates the vault with all existing accounts.
After import, the password manager will typically identify duplicate or weak passwords through a security dashboard or health report. Addressing these — changing flagged passwords to unique manager-generated ones — can be done gradually over days or weeks, starting with the most important accounts: email addresses, banking, and any account containing financial or personal information.
Installing the browser extension and mobile app
The browser extension is the primary interface for day-to-day use. It detects login fields automatically and offers to fill credentials, or prompts to save new credentials when a new account is created. Installing the extension in every browser used and testing it by logging into a known website confirms it is working correctly before relying on it.
The mobile app provides identical functionality on phones and tablets. On iOS and Android, the password manager can be set as the default autofill provider, allowing it to fill passwords in apps as well as in mobile browsers. This configuration takes two to three minutes in the device's password or autofill settings and eliminates most of the typing that password management previously required.
The first thirty days
For the first month, the priority is simply to save every login not already in the vault as it is encountered in normal use, and to allow the manager to fill passwords automatically rather than typing them. This builds the habit organically and populates the vault progressively without requiring a dedicated session to address every account simultaneously.
After thirty days, reviewing the security dashboard provides a clear picture of the most important accounts still using weak or reused passwords. Working through the flagged list systematically over several weeks completes the transition to a fully managed credential set and eliminates the primary vulnerability that account reuse creates.
Key Takeaways
- Bitwarden (free) or Apple Keychain (built-in) are adequate for most individual users — no purchase necessary.
- Create a passphrase master password and store a written copy in a physically secure location immediately after setup.
- Import existing browser passwords via CSV export in five to ten minutes — this populates the vault instantly.
- Install the browser extension and mobile app and test autofill immediately to establish the daily-use habit.
- Use the security dashboard in the first thirty days to identify and prioritise changing weak and reused passwords on important accounts.