Manage your passwords safely

Updated28 March 2024

No human brain is powerful enough to develop and remember passwords that are sufficiently long, random and unique to keep all of their devices and accounts secure. A password manager generates and stores these passwords for you, protecting them with encryption.

Password managers store passwords in your computer or on remote servers ("in the cloud"). Even if most cloud-based password managers are end-to-end encrypted, they can be exposed to hacking attempts without you noticing. This is why we strongly recommend using an offline password manager installed in your computer like the ones listed in this guide and in our section on password managers. If you still think that an online password manager is the best choice for you, read our recommendations at the end of this guide to minimize potential risks.

Some browsers, email clients or built-in applications like iCloud Keychain will also offer to store your passwords for you. This is generally less secure than using a dedicated password manager for all your passwords. If you still think it would be convenient for you to store some passwords in your browser or mail client, you can follow our advice on how to do this securely on Firefox, Chrome/Chromium and Thunderbird. Any solution that uses the same password for unlocking both your account and your password manager (like iCloud Keychain for example) should not be considered secure enough and we strongly recommend using a dedicated password manager instead.

Read the following paragraphs to learn how to use password managers to generate and safely store strong and unique passwords.

Use a password manager installed in your device

• Get KeePassXC (for Linux, macOS or Windows), KeePassDX (for Android), or Strongbox (for iOS or macOS).
• Let the password manager generate and save a long, random, unique password for each of your accounts.
• Read our guides on KeePassXC and KeePassDX to learn how to generate and store your passwords safely.
• If you need an online password manager, see the section on online password managers at the end of this guide.
• We do not recommend using your browser or email client to generate or store your passwords. If, for some reason, you really need to do this, read our recommendations on how to reduce the risks of storing passwords in your browser or email client.

Back up the database of your password manager

Follow these instructions to back up the database of your password manager:

• How to back up KeePassXC
• How to back up KeePassDX
• How to back up Strongbox

If there are passwords or backup codes you need to keep outside of your password manager

• If you must write passwords down on paper, store them in a secure, locked place like a safe or desk drawer.
  • It's important that your passwords aren't visible to those who pass by, or easy to find and copy.
  • Do not keep paper copies of your passwords in your wallet.
• Destroy any paper copies of passwords or backup codes thoroughly as soon as you no longer need them.
• Alternatively keep these passwords on another device.
• You may also hide your passwords between other notes with no explanation or description.

If you decide to use an online password manager

• Avoid storing highly sensitive account information (like financial account or recovery account logins) in the online database.
• Protect access to your online database with 2-factor authentication.
• We recommend Bitwarden as an online password manager.

If you decide to store some passwords in your browser or email client

If you find it convenient to store some passwords in your browser or email client, it's best to only do so in Firefox and Thunderbird and to minimize risks based on the following advice.

• Avoid storing highly sensitive account information (like financial account or recovery account logins) in your browser.
• Make sure to set a strong and unique primary password following the instructions below:
  • Firefox
  • Thunderbird
• Close your browser whenever you aren't using it and do not sync it on devices you do not trust.