They promised us flying cars. We got passwords to do our shopping. But given that secure, random, and frequently updated passwords are now the cornerstone of keeping our financial assets safe, Monevator contributor The Realist makes the case for using a password manager to wrangle them…
Nearly every aspect of our lives in today’s digital world requires a login. As a result the average person juggles dozens of online accounts. (And that’s before they’ve even gotten into stoozing…)
Count how many times a day you’re asked for some kind of account details – from reading the FT to ordering a pizza to checking your ISA. The answer might surprise you.
The challenge: how to remember all the passwords we need just to get through the day and keep on top of our financial affairs.
Common solutions include writing them down or making them all the same.
Neither stacks up in 2025. They weren’t good solutions in 2005, to be honest.
One password to rule them all
If you still rely on Post-it notes stuck to your printer, then you need a password manager. They are the best way to generate robust passwords that guard you against identify theft and financial cyber crime.
Completely random passwords will always be far stronger than those you come up with off the top of your head, or that resurrect the fading memory a childhood pet.
Password-cracking programs try all the common passwords first. They then use repeated passwords found elsewhere across the internet. You need something special to ward them off.
Enter the password manager
As password manager is a piece of software that securely stores – and often also creates – unique random passwords for your online accounts.
The password manager enables access to this encrypted database of all your passwords via a single ‘master password’, or biometrics if available on your device.
Most managers also include a browser extension that enables secure autofill logins online to save you time.
Don’t panic if those two sentences have already brought on the cold sweat of techno-fear! It’s simple once you take the first step. Good software will walk you through the process.
Obey your master
The master password is your gateway key. It’s the only password that you will need to remember. You’ll use it a lot so familiarity will help.
The best tip for an effective master password is to use a passphrase.
Brute force cyber attacks involve a trial-and-error approach until an account is compromised. A longer password – or phrase – gives a higher level of defence.
One method for creating a master password you will remember is:
- Group three words together
- Separate each word with a special character
- Add a number
- Then replace letters with more special characters to increase randomness.
For example, simply using items I can see from where I’m sat writing I can devise:
- Lamp$had3=paint!ng@c0ffee94
[Um, where does the remembering hack come in? – Ed]
What’s in a (pass)word?
Password managers can store more than just passwords. Sophisticated password managers can safely store all kinds of information.
Think passport details, driver’s licence, insurance certificates – anything you might require on or offline, stored safely so you don’t need to have the document with you.
The benefits can be significant.
For instance, imagine being contacted regarding a suspicious transaction on some account you rarely use, whilst you’re away on holiday.
It could be a scam. But at a minimum, a password manager would enable you to log-in and check an account when you can’t even remember what username you used to set it up. Then, if necessary, you could generate, update, and store a new strong password – all from the comfort of your sun lounger.
Another idea: you could save the emergency contact details of financial organisations together with your account numbers in advance for quick access when you’ve no paperwork to hand.
Most password managers have toggles to include (or not) CAPITALS, $pec!al characters, or numb3rs – as well as the ability to choose a password length to fit the requirements of the account in question.
Password managers can also make routine changing or resetting passwords a breeze.
Some password managers will even warn you of a known data breach on a third-party website where you have an account. You can then reset your passwords with a button click. You can also choose to change all your passwords periodically for optimal security.
Advanced apps such as 1Password can do much more than just remember passwords.
Modern bank robbers carry laptops, not balaclavas.
But by centralising and safeguarding your login credentials, you can protect your data, save time, and enjoy more peace of mind.
Using a quality password manager is like the digital security equivalent of a passive index fund investment. Fit and forget, and then it’s doing its thing in the background, 365 days a year.
There’s an app for that
Even my toothbrush now ‘requires’ me to use an associated app. It gets tedious.
But a password manager app really is one to take a look at, download, and use. It will enable the seamless syncing of all your passwords and data across any device, and allow you to login at the touch of a button or a scan of your face.
There are countless options available. I’m in no position to debate the pros and cons of each. Plenty of tech blogs out there review them if you wish to dig in.
Personally, I use 1Password and have done for years. It’s a paid service but for me it’s been flawless.
One consideration is that – similar to switching from iPhone to Android – once you go down a road you’re semi-locked into that system. Yes you can change, but the data porting may come with some pain. (Apparently 1Password enables you to import passwords from other managers, but I’ve not tested this myself).
In researching this article, I’ve noticed I’ve a mind-blowing 219 logins stored within 1Password. The sites covered range from financial services to online stores I visited years ago to old magazine subscriptions I no longer use (but where my personal data is likely still out there.)
Another good option is Keychain, Apple’s own password manager. It’s integrated for free within MacOS and iOS. Keychain is a great option and seamless in use. The drawback is it’s limited to Apple devices.
Google has a similar one for Android though, and Microsoft offers the same for its Edge browser.
Searching for freebies
There are also many free open-source options available. (Let us have your recommendations in the comments!)
Personally, I would rather pay a small fee and have some come-back for such a critical piece of software. But many people do use free versions without issues.
The best one for you is the one that suits you. This will come down to a function of pricing, features, interface, and usability. Some password managers offer a free trial, so check to see if you can try before you buy.
I’ve listed a few popular options below, but this is by no means exhaustive:
Look out for a manager that supports Multi-Factor Authentication (MFA).
As you’ll probably know from using it already – even if the actual acronym has so far escaped you – MFA is an electronic security method where you must provide two or more distinct types of verification to gain access to a resource, such as a website or application.
You should always use MFA where you can. It adds an extra layer of protection to the first-line defence afforded by a password.
QWERTY1234
There is usually a buy-in period with learning any new tool. Password managers are no different.
The initial set-up can take a bit if time, particularly if all your passwords need changing from Hurst66 to ZbP=!pziAJx2v4efc4V7J.
But once you’re done, ongoing maintenance is easy.
Many password managers will prompt you to save passwords when you first log into sites online. This way you can steadily change them as you come to use them.
That’s particularly handy with some of the less frequently used logins, such as pension accounts where you may not have daily, weekly, or even monthly interactions. [Um, speak for yourself – Ed]
Securing your financial future
In an age where cyberattacks are increasingly sophisticated, password management is no longer optional. It is essential to protect your personal and financial data.
If your preferred method is a little black book that’s locked in a safe, then fine. As I said above, the best password manager is the one that works for you.
But you should still change your passwords regularly. Keep them random and don’t use the same one for Tesco that you use for your online broker.
Like it or not, our lives are becoming more digitalised. For starters, you are reading this on a digital platform.
But password management software is designed to work with you, not against you, and today’s tools offer a blend of convenience and security that manual methods simply cannot match.
Further reading:
- Tips from the National Cyber Security Centre
Just to say I’m a very happy Keepass user for at least the past 13 years. I don’t tend to do anything high value on mobile devices, so the lack of cloud native sync isn’t a significant issue, and I value the reduced attack surface.
I concur MFA is desirable, but is still potentially at risk of MITM attacks, so be careful with how you store the links to sites, and I try and go to sites via bookmarks rather than via links from emails as a matter of habit.
I would query the recommendation to change passwords regularly. Certainly GCHQ doesn’t see much value in it, so long as you can trust their advice not to be self serving. The corollary of course is that if you have any hint that a password or site has been compromised you should reset the password as a matter of urgency, you’re potentially racing a GPU cluster trying to break password hashes.
Good post. Personally I use keepass synchronised to my OneDrive so I can access it across all devices. A password manager is an absolutely essential tool in 2025.
My area of expertise.
You only need a separate password manager if you need to log into an account from a bunch of different computers with different browsers. Otherwise the password manager built into your web browser will achieve the same ends without needing to trust another 3rd party application (you need to trust the browser anyway).
Using a password manager that auto-fills passwords for you is important as it will help protect you from attackers that create fake websites which look like real ones. For example if an scammer were to register the website http://www.aibell.co.uk, your browser can tell the difference even if you can’t and won’t auto-fill your http://www.ajbell.co.uk password for you.
Humans are bad at remembering things so you should only try to memorise credentials for accounts that you *need* to access cold: the login for your laptop, accounts that you need to be able to access from someone else’s computer, etc. Everything else should be randomly generated (by a computer) and stored (by a computer) to avoid password fatigue.
Adding capital letters, numbers, and punctuation makes passwords much harder to remember (and type) for very limited security value. The practice started from technical limitations of ancient computer systems and has no place in this century! It’s better to use a simple password system (random words) and make it long enough to achieve adequate entropy. NCSC and NIST both recommend against the practice and competent service providers that follow security best practice do not require multiple ‘food groups’ (but plenty of incompetent ones still do).
Changing passwords regularly causes people to use bad passwords (password fatigue). Where a human absolutely needs to remember a password (see above) they should make a good password once and then not change it unless they have reason to believe it has been compromised. NCSC and NIST both recommend this in their guidance and competent service providers won’t require them to be changed periodically.
It is worth putting some consideration into backup and recovery. Most online accounts allow you to reset your password over email if you forget it which means your email account is a single point of compromise for most of your digital life. Anything which doesn’t allow reset over email deserves consideration for what happens if you forget/lose/break the things you need to access it. What happens if you use an encrypted password manager and forget the master encryption password?
“keep it secret, keep it safe” – Gandalf
I use Bitwarden for passwords and Authy for 2FA. Happy with both of them. I started out with Lastpass but switched when the free option became more restrictive, and I now prefer Bitwarden. The free tier of Bitwarden is enough for my needs, but I pay as it is only $1 a month and I want to support it.
All good advice; I’ve been a 1password user for many years. Also, passkeys are interesting for the geeky.
https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/password-managers is probably decent background reading.
Regular password changes led to users making minor changes leading to predictable passwords. NIST dropped the password change requiremnt years ago.
It might be worth pointing users at Troy Hunt’s Have I Been Pwned website where they can see which services have leaked their credentials. I believe 1Password integrates this service.
I would be interested to know which authenticator apps people use for getting 2FA codes.
From my basic research I have learnt it is very important to have a robust backup procedure in place so that one can transfer 2FA tokens to a new phone in case of phone loss/theft. Otherwise, you will obviously be locked out of your account.
Some security experts suggest printing out the QR codes when setting up 2FA on a site (and obviously keeping them somewhere safe).
@Index
I use the open source FreeOTP developed by Red Hat.
@Index, I’ve used KeepassXC to do this in the past, IIRC for Github.
Sound advice!
I’m reminded of the classic xkcd comic (search “xkcd 936”) where it shows that ‘through 20 years of effort we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess’ 😉
Very happy 1Password user here (though company pay for the account, and I might have gone with BitWarden if funding myself).
I left LastPass on principle after they dealt with a hack and compromised master passwords appallingly (Google ‘Lastpass controversy’)
I’m still using Authy for 2FA but they had a hack and also shut down their Desktop app – I’ve been meaning to move to the open source Ente Auth
Like some others I’ve used a password manager for donkeys years. It was Lastpass until they got hacked and became restrictive so a number of years I’ve used Bitwarden across my android phone, iPad and Win11 devices. It’s open source so is reasonably safe.
I also use Authy for my MFA codes.
I prefer not to use Microsoft, Google, Apple based software for this stuff as they already know enough about me.
I do disagree with Gandalf about using auto-fill on browsers as that has had a few issues of late e.g. where hidden fields are auto-filled without us knowing but gives info to scammers.
I don’t use Passkeys yet as they seem immature in their usage so far, and Bitwarden + Authy does the job for me.
BTW I have over 500 logins in my vault. That’s a lot of sticky notes.
Keepass and Keepassium for iphone I have also used for years. Needs a little bit of effort to set up. I back up the small password database file (it’s encrypted, of course) to one of the free cloud data areas e.g. Dropbox so that it is common between devices. All 0% TER.
Used to use LastPass until they had data breach’s and did not open up about it. Moved every thing to Bitwarden which Ive been happy with. I know in this modern age a password manger is needed but we intrust all of this with a 3rd Party which is open to attack
Thirding the motion that “regular password changing” is outdated and incorrect advice. Personally I’m a fan of Passkeys, unphishable though they’re only just starting to roll out across the web.
Great article!
One note on Apple keychain, they do have extension for Chrome, so you can use it there.
I got 1Password recently as it seemed to be the most recommended when researched. Still slowly adding the ridiculous number of accounts I have to it.
Be good if 1Password could track points expiry dates for hotel and airline loyalty membership. Used to have AwardWallet until they upped prices for an inferior service. Possible to set expiry notices on 1Password but have to stay on top of it.