Task 3: Set Up and Learn to Use a Password Manager

In the last article, we explored the importance of strong authentication — what makes a password secure, why passphrases offer better protection, and how a password manager simplifies the entire process.

We’ve intentionally placed this step as Task 3 because adopting a password manager will make many future tasks easier and more manageable.

For many people, setting up and getting used to a password manager is one of the most challenging steps in improving their cybersecurity habits.

But here’s the good news: once you’ve made the leap, managing passwords actually becomes much easier than before. We like to tell our customers, “Once you jump in, the water’s really nice!”

In this Task, we’ll guide you through the practical how-to of setting up and using a password manager effectively.

As a quick reminder, here are the key benefits of using a password manager:

  • Generates strong passwords or passphrases for you.
  • Stores your passwords securely in an encrypted vault.
  • Autofills login forms, so you never have to type (or remember) complex passwords.
  • Works across devices, letting you access your passwords on all your computers and mobile devices.
  • Protects against phishing sites by only filling passwords when the URL matches exactly—helping you avoid fake login forms.

By now, you know why password managers are essential to your security. In this task, we’re going to focus on getting it done — choosing a password manager, setting it up, and making it part of your daily workflow.

Step 1: Choose a Password Manager and Sign Up

You don’t need a complicated, enterprise-grade solution to get started. For most small businesses, a reliable, user-friendly password manager is all you need.

Our Recommended Options:

  • Bitwarden (affordable, open-source, and has a great free tier)
  • Keeper (strong enterprise features)
  • 1Password (easy to use, great for teams)

Each of these options has a lot of excellent features. Bitwarden stands out for its free tier, and its free Personal plan is good enough for single-person small businesses. For small businesses with multiple employees, we highly recommend using Keeper – it doesn’t have a free tier but pricing starts at $2/user/month and caps at $5/user/month with full enterprise options for larger organizations.

When evaluating password managers, we recommending looking for at least the following basic features:

  • Works on all your devices (desktop, mobile, browser)
  • Supports secure sharing (if you’ll be collaborating)
  • Offers Multi-Factor Authentication (MFA)

Step 2: Create Your Master Password

Your master password is the single password you need to manage yourself—it unlocks access to all your other passwords. This password needs to be:

  • Long (aim for 24+ characters)
  • Unique (never used anywhere else)
  • Easy for you to remember, but hard for others to guess
  • We highly recommend using a passphrase as it will be much easier to remember!

A passphrase like: “Correct-Purple-Battery-Stapler-Horse!” … is an excellent choice.

We recommend using a passphrase generator like this one from Keeper. Use at least 5 words. More is better but harder to remember.

Managing Your Master Password

Your master password is the single key that unlocks your entire password vault. If you forget it—and don’t have it securely backed up—you could lose access to all your accounts.

That’s why it’s critical to have a secure, physical backup.

Here’s what we recommend:

  1. Create Two Physical Copies of Your Master Password:
    • Write your master password down by hand on two separate pieces of paper.
    • Don’t store it digitally (like in a notes app or a photo)—that defeats the purpose of having a secure backup.
  2. Store One Copy in a Long-Term Safe Location:
    • This copy should go into a locked safe, lockbox, or other secure physical storage.
    • You won’t touch this copy unless it’s an emergency recovery situation.
  3. Keep the Second Copy Accessible (But Still Safe) For the First Few Days:
    • You’ll need to refer to your master password regularly as you start using your password manager.
    • Store this copy in a place that’s convenient but still reasonably secure—like a locked desk drawer.
    • The goal is to make it easy to access while you’re still memorizing it.
  4. Once You’ve Memorized It, Destroy the Second Copy:
    • After a week or so—once you’re confident you know your master password—destroy the second copy.
    • From this point on, you’ll rely on memory and the emergency copy stored in your safe.

This method ensures you’re protected against both forgetfulness and accidental exposure, while also giving you a smooth onboarding experience.

Step 3: Set Up Your Vault

Once you’ve created an account and logged into the password manager, you’ll be introduced to your vault—this is where all your passwords will be stored.

You can think of it as your personal safe, accessible only to you, protected by your master password and multi-factor authentication (which we’ll cover later).

Step 4: Install Browser Extensions and Mobile Apps

To get the most out of your password manager, install:

  • A browser extension (for Chrome, Firefox, Edge, etc.) for whichever browser you use (we recommend Firefox for its excellent default security features)
    • A browser extension allows the password manager to autofill login forms on websites!
  • A mobile app on your phone and/or tablet
    • There may be times when you need a password and your computer browser is inaccessible. For example, you may need to access your Windows password. A mobile app is great for this!

This allows the password manager to:

  • Autofill login forms on websites and apps
  • Save new credentials as you log in to websites
  • Sync across all your devices securely

Step 5: Familiarize Yourself With Key Features

Before we move on to replacing your old passwords, take a few minutes to get comfortable with how your password manager works. Focus on these basics:

  • Saving a new login: Try creating a test entry in your vault manually.
  • Using autofill: Visit a website where you’re logged out and see how the password manager helps you log in.
  • Searching your vault: Practice finding stored items quickly.
  • Organizing entries: Some password managers allow folders, tags, or labels.

💡 Pro Tip: A password manager can securely store all kinds of sensitive information—not just passwords. Think software license keys, Wi-Fi passwords, secure notes, and more. It’s also searchable, so you can quickly find what you need when you need it. Don’t be afraid to use it for everything sensitive—you’ll be more organized and secure at the same time.

Step 6: Enable Multi-Factor Authentication (MFA) for Your Vault

Your password manager should offer MFA to secure your account. This adds an extra layer of protection even if your master password is ever compromised.

Use an authenticator app (like Google Authenticator, Authy, or Microsoft Authenticator) to set this up. If you don’t know how to do this, not to worry! We’ll cover this in Task 5.

Wrapping Up Task 3

At this point, you should:

  • Have a password manager installed and set up on all your devices.
  • Know how to save, find, and autofill passwords.
  • Understand the basics of how it will help you streamline and secure your logins.
  • Have multi-factor authentication enabled for your vault.

Before we conclude this article, let’s look at some common mistakes that people make when using password managers. You’re putting in the work, so let’s make sure you’re doing it right!

Common Mistakes with Master Passwords (And How to Avoid Them)

  1. Storing the Master Password Digitally: Never save your master password on your computer, email, or cloud storage. If your device gets compromised, attackers will have access to everything.
  2. Choosing an Easy-to-Guess Master Password: Avoid using common phrases, pet names, or anything predictable. Use a unique passphrase that’s long, memorable, and hard to guess.
  3. Not making a physical copy: Many people skip creating a physical backup, assuming they’ll never forget it—until they do. Always have a recovery plan in place.
  4. Keeping a Copy in an Insecure Place: We hate to say it, but we’ve personally coached customers on secure password practices—only to visit them later and find their master password (and sometimes other credentials) taped to a monitor, scribbled on a sticky note, or left in a drawer anyone could open. If someone gains physical access to your workspace, this is the first thing they’ll look for. Always store physical backups in a secure, locked location—never in plain sight.

In the next task, we’ll guide you through importing accounts, generating strong passwords, and replacing weak or reused passwords with strong, unique ones.