There is a world of difference between a rule you break and a rule you cannot keep. “A different password on every site” is the second kind.
Of the whole catechism we learned — the capital letter, the number, the symbol, the mandatory periodic reset — NIST threw nearly all of it overboard in SP 800-63B. Length came to matter more than contortion. Forced rotation was dropped unless there is evidence of compromise. The demand for symbols was replaced by something far more sensible: checking the password against lists of the ones already breached.
One rule survived. Don’t reuse. And it’s the one we paid least attention to, because keeping it required something no poster in the office kitchen ever mentioned.
Why your memory can’t do it
Think about how many accounts you have. Not the ones you use: the ones you have. The bank, the email, the other email, the shop where you bought a pair of trainers in 2019, the forum, the airline, the parking app, the building management portal, the government site that made you register for a five-minute form.
Now imagine memorising a long, random, different string for each one. It isn’t that it’s hard. It isn’t a goal a human brain can reach, and insisting otherwise for years has been one of the lesser cruelties of information security.
So we did the only thing available: one good password and its variations.
Rufus2019! for the bank and Rufus2019? for the forum. Or simply the same one
everywhere, with a mental asterisk saying “well, the bank has its own.”
And there’s the problem, because the real attack isn’t guessing your password. It’s trying the one already stolen from you somewhere else. The 2019 forum gets breached — 2019 forums get breached — someone takes that list of emails and passwords and runs it, automatically, against every service they can think of. Nothing has to be broken. You handed over the key already; they’re just trying doors. That’s credential stuffing, and it works precisely because the only rule that mattered was the one nobody could keep.
A manager isn’t convenience
This is where the password manager usually gets sold as a luxury: so handy, it fills things in for you, no typing. True, and beside the point.
A manager doesn’t save you effort: it makes possible a rule that is unreachable without it. It’s the difference between telling you to run a hundred kilometres and handing you a bicycle. The number doesn’t change; whether you can do it does.
With one in front of you, everything else in SP 800-63B sorts itself out. Long rather than complex? The manager generates them at whatever length you like, because you’re never going to type them. Different on every site? Trivial, by definition. No forced rotation? Perfect: you only change the one that leaked, and plenty of managers tell you when that happens. The only one you still have to memorise is the master, and that one does deserve care — four or five random words in the generator and a look at how it holds up in the checker.
The honest objection
“All your eggs in one basket.” I’ve heard it a thousand times and it isn’t stupid. If someone gets into your manager, they get into everything. It’s a single point of failure, and anyone who tells you it isn’t is selling you something.
The answer has to be honest too: yes, it’s a single basket, but the alternative isn’t eggs spread around. It’s eggs on the floor. Without a manager you don’t end up with eighty independent passwords; you end up with the same password on eighty sites, which is the same basket but with no lid, no encryption, copied across eighty other people’s servers whose security you know nothing whatsoever about.
Look at the real threat model. Cracking the encrypted vault of a serious manager requires either a severe flaw in the product or your master password. Trying the password you used at an online shop against your email requires absolutely nothing: a script and a list. You’re comparing an attack that needs a great deal with one that is already happening, constantly, on autopilot.
What is a reasonable precaution: a long, unique master, second factor switched on in the manager, and an awareness that the master is now your critical point. Treat it that way.
Which one, and why there’s no single answer
Time for something awkward for a site that carries affiliate links: the best manager is the one you’ll actually use, and there’s more than one good option.
Bitwarden is free software, has a free tier that covers what almost everyone needs, and you can host it yourself if you fancy. Its code being auditable isn’t marketing: it means you don’t have to take anyone’s word for anything.
KeePass — and its offshoots — keeps everything in a local file. No cloud, no account, no provider. If your worry is “I don’t want my passwords sitting on someone else’s server,” that worry is literally solved. In exchange, syncing between your devices is your problem.
1Password is paid, and it’s the one we link to from here — affiliate, for the record. What it does well is the part that usually decides whether a manager survives in a household: that the non-technical people get it, share it with their partner and don’t give up on it within a week. It isn’t more secure than Bitwarden for costing money. It is, for a lot of people, easier not to abandon.
And your browser’s manager. Free, already installed, already offering to save. It sits below the others on control, on portability and on sharing, and it ties you to one ecosystem. Doesn’t matter: using your browser’s is incomparably better than using none, because it solves the big problem. Anyone who tells you otherwise is putting purity ahead of actual risk.
The line that sums it up
For years we were told what every password had to look like and almost never told how we were meant to remember them all. That was the missing step, and without it the one rule that survived wasn’t a rule: it was a telling-off.
Pick one. Any of them. The argument about which is marginal next to the distance between having a manager and not having one.
Sources: NIST SP 800-63B, “Digital Identity Guidelines: Authentication and Lifecycle Management” (length over complexity, no forced rotation absent evidence of compromise, checking against lists of compromised passwords) · security documentation and models published by Bitwarden, KeePass and 1Password.