Using a password manager can prove highly essential for good password management practices.

Broadly speaking, password managers allow users to generate strong passwords - but most importantly they allow users to have unique passwords for their various online accounts, eliminating the need for reusing passwords.

This guide is aimed at users ready to start putting their password manager to use. If users need more help or guidance on the topic of password managers themselves, then please refer to avoidthehack's inclusive guide on everything users need to know about password managers.

Step 0: Picking a password manager

Hopefully users have picked a password manager that both has a demonstrated commitment to security and is beneficial to user privacy. Ideally, users would have picked a password manager capable of being used offline (or without an active internet connection) and is open-source.

Users are encouraged to review the password manager options presented in avoidthehack’s recommended password managers post.

For users switching password managers

Users reading this guide may be in the process of switching password managers. For example, they may be migrating from a closed-source solution to an open-source solution.

Fortunately, most password managers allow users to export their vaults to a file that can then be imported by the new password manager.

Different password managers have differing steps for exporting the vault database; users should consult their existing password manager’s user guides/instructions for assistance in exporting databases.

Once successfully exported, this database can be imported into another password manager.

Step 1: Create a master password

The master password is the definitive “key” to decrypting and unlocking the encrypted vault of the password manager.

Users will want to take the utmost care in creating a strong password - it is far more ideal for users to create a “passphrase,” which would be harder to brute force attack or guess for an attacker. Users may also find passphrases easier to remember.

This master password or passphrase should be unique and not used anywhere else - not even to unlock any devices or machines. It should not contain personal identifiable information (PII) such as parts of social security numbers or birth dates.

The master password should not contain information that could be easily “guessable” with or without open-source intelligence investigation (OSINT - research) - this includes, but is not limited to:

• Pet, children, or family names
• School names
• Favorite colors/games
• Pet, children, family member birthdays
• Address information, such as street name or building numbers

Storing the master password

In an absolutely ideal world, the master password wouldn’t be stored anywhere but in your head. However, in the event you forget your master password and don’t have access to any of your backup methods, you’ll lose the information contained inside the vault - for reputable password managers, there absolutely should not be a function to “recover” or reset the master password.

Avoid storing the master password on any device where the password manager is used - in the event any of these devices are compromised, the risk is higher for the password manager to become compromised as well, as the password to decrypt the vault would be present on the compromised machine.

For most users, writing down the password on a physical medium and storing it in a secure place should work as reasonable secure method. However, if there are viable physical threats, then users should take those into account if storing the password in a physical location. Suitable physical location vary greatly and are dependent on many factors – generally, a “good enough” location is one where others have limited/no access to.

At minimum, users should ensure unauthorized people do not have easy access to the physically written password; generally, this can be alleviated by not storing the physical medium near machines or devices themselves.

Step 2: Secure backup codes/methods

Securing a backup method for a password manager is a wise first action to take.

An established backup method allows you access to the password vault without wiping the existing data should you forget the “master password” or lose a multifactor authentication factor (MFA), such as a YubiKey.

For a backup method to be solid, it is imperative to ensure said backup method indeed works before the time of “true need” comes. Likewise, it is also important to ensure any vault backups or backup codes are securely stored.

It’s best to store backup codes or any vault backups off any device where the password manager itself is used.

Backup codes should be stored on either a device not actively connected to the network or on a storage device that is neither connected to the network or to any other device existing on the network. Users can also opt to encrypt their backup codes and upload to a trusted and encrypted cloud storage provider.

Alternately, and still viable, users can print out backup codes and store them in a safe physical location. For many people, the simplest and most effective secure storage for backup codes are completely offline by printing them out and storing them in a safe physical location.

Step 3: Install the password manager on most-used devices

It’s not good enough to just have a password manager ; a password manager is something to be used and used very often.

To ensure use of the password manager as you conduct your online business across your many different online accounts, it becomes important to install it on devices that you use. Preferably, the password manager should be installed on devices used regularly - at minimum, the password manager should be installed on the device you, the user, uses the most.

Ideally, the device where the password manager is installed is something you have direct control over most, if not all, of the time. In other words, for security and operations security (OPSEC) reasons, it may be wise to avoid installing your password manager on shared devices or work devices. Refraining from doing this mitigates risk of someone decrypting the vault without your permission or knowledge and gaining access to the contents inside.

Most users are advised to use a password manager solution compatible with multiple platforms; avoidthehack typically recommends Bitwarden, a privacy-respecting, open-source, and highly secure password manager with wide availability across many devices.

As a reminder, users can find other password manager recommendations from avoidthehack on the Password Manager Recommendations page.

Step 4: Change passwords of accounts used for authentication

Once the password manager is set up to your liking, a strong master password is created, and secured backup methods are established, it’s time to change the passwords of various accounts. We’ll need to “triage” these accounts, starting with the most “critical” as we work them into the password manager.

According to research conducted in 2020, the average user had an average of 70-80 accounts and consequently, credentials to manage. After the onset on the COVID-19 Global Pandemic, this number has thought to increase by roughly 25 percent. Assuming this holds true for most people, this would then mean common users have a 100 or more online account credentials to manage.

For most users, “critical” accounts are accounts used for authentication to other web apps or services. These aren’t necessarily financial accounts, which are rightfully sensitive in their own regard.

Authentication accounts typically include:

• Email accounts
• Mobile phone number provider accounts

These are the accounts where any given service may send one-time pass codes (OTP), “forgot my password” links, and other sensitive correspondence. Changing the passwords of accounts used for authentication provides an immediate benefit to your security posture.

Therefore, if a malicious actor were to gain access to these accounts, it could spell trouble for your security as a user - both online and offline.

For example, if an attacker gained access to the same email you use for your bank login, then they could easily reset your bank account password (and the password of the email account) to effectively lock you out of the bank account and the email account. No doubt this is a major headache to deal with and solutions often include multiple phone calls and making in-person trips to a banking branch.

Users may want to start with email accounts first and then move to mobile phone provider accounts. Users are highly encouraged to enable multifactor authentication (MFA) on these accounts.

4.1 Accounts used to sign into other services/devices

Breaches of accounts used to sign into other devices may lead to compromise of the other services/devices reliant upon these accounts for authentication.

Accounts used to sign into other services or devices may include:

• AppleID accounts
• Microsoft accounts
• Google accounts

For example, a malicious actor gaining access to your AppleID or iCloud accounts could download your phone backups or photos, which could contain highly personal and sensitive information and enable more crippling attacks.

A malicious actor gaining access to your Google account could compromise your Gmail account, which could lead to the compromise of other accounts as noted in the previous section.

Microsoft accounts are frequently linked to other services or devices, such as Xbox Live or a Windows machine. Compromise of these accounts can potentially lead to compromise of other services as well.

Thankfully, these accounts tend to have some form of MFA enabled by default. Therefore, even in the event a weak or reused password is indeed compromised, an attempted account takeover could be thwarted.

However, this is no excuse to not implement a strong and unique password for these accounts! These accounts tend to allow very strong passwords (in some cases, passphrases), and with a quality password manager, changing and storing these should be convenient and easy.

Step 5: Change passwords for financial accounts

With accounts used for authentication equipped with secure passwords, we can secure other sensitive accounts - like financial accounts. Financial accounts have a wealth of sensitive information that can lead to identity theft, fraud and other hard-hitting financial problems. Financial accounts, for obvious reasons, are highly targeted by malicious actors for rather obvious reasons.

Financial accounts include more than just traditional bank accounts (but are not limited to):

• Bank accounts
• PayPal accounts
• Credit card accounts
• Investment accounts
• Work benefit accounts (primarily 401k or HSA accounts)
• Tax-related accounts (primarily the service used to file taxes)
• Cryptocurrency accounts (centralized exchanges) or wallets*

Wallets tend to not have passwords, instead have associated and unique seedphrases. Users may want to consider storing seed phrases inside their password manager solution.

In most cases, users will want to secure the bank account where their primary income is deposited. All financial accounts should be equipped with the strongest passwords allowed by specific platforms, banks, or companies. Avoidthehack strongly recommends users enable MFA on key financial accounts.

5.1: Finance-related accounts

These accounts don’t necessarily put your money directly on the line, but do contain highly sensitive information alongside financial information - primarily, creditor accounts.

Creditor accounts can be a wealth of information for malicious actors - these accounts frequently include full legal names, dates of birth, socials, contact information, address information alongside other financial information like bank information, loan balances, and finance terms.

This information can be used in highly targeted spear-phishing campaigns, doxxing campaigns, or simply sold on various marketplaces both on the clear net and the dark web for cash. Users may be targeted with refined scams or subject to identity theft.

Common finance-related accounts include:

• Mortgage accounts
• Car loan accounts
• Personal loan accounts
• Student loan accounts

5.2: Insurance accounts

Insurance accounts are frequently tied to financial related accounts. Like creditor accounts, these contain a wealth of information about a user, all in one place. In some cases, insurance accounts can be connected to other finance-related information - such as is the case with HSAs and some health insurance providers.

Common insurance accounts include:

• Health insurance provider accounts
• Car insurance accounts
• Home owner’s/renter’s insurance accounts

Step 6: Government-related accounts

Some users may have accounts with any number of government agencies (federal, state, local, or tribal). These government accounts are often repositories for PII and other sensitive information; depending on the account itself, they can also infer into other aspects of a user’s life.

For example, information we can gather/infer from direct access to a user’s Free Application for Student Aid (FAFSA) account includes:

• College history
• Graduation status
• Income at time of application
• Tax information
• Address information (and potentially address history)
• Social Security Number

Government-related accounts may also factor into your regular life as a citizen; compromise of these accounts could lead to headaches such as fraudulent public benefits enrollment or tax-related hiccups.

Step 7: Social media accounts

Even if you “lockdown” your social media from the “outside” (public) view, users will want to make sure the account itself is difficult to break into. It may sound silly to put social media accounts on a guide for securing accounts with a password manager, but social media accounts are increasingly targeted by malicious actors.

Someone with access to social media accounts can gather a wealth of information about you and others you interact with. A malicious actor with access to your social media accounts also may have access to:

• Your friends/following list
• Contact information
• Your chat/message history
• Location history (if shared with app)

This information can be used to launch doxxing campaigns, smearing campaigns, or convincing spear-phishing campaigns.

Additionally, particularly aggressive malicious actors may use your otherwise legitimate account to engage in subsequently malicious behavior, ranging from immoral to illegal:

• Scam your friends/following list
• Pass phishing links to friends/following list
• Sharing inappropriate and/or illegal or banned material
• Posting details you might not want shared with others (or the public)

Step 8: Work/Employment Accounts

How are you storing your work credentials? Are you reusing the same password across work and personal accounts?

Naturally, users should adhere to their policies concerning account credentials as attached to personal password managers/personal devices. This guidance is not meant to supersede any policy put out by your organization for its employees.

A malicious actor gaining access to your work account(s) can spell nasty consequences for both you and your organization - in some high profile cases, such as the Twilio data breach in 2022, compromised employee credentials were an entry point for attackers to breach and pivot on organizations’ networks. An attacker breaching work accounts(s) themselves can also result in the compromise of user PII.

Personal ramifications from threat actors gaining access to user work account(s) include, but are not limited to:

• Disclosure of salary information
• Disclosure of address and address history
• Disclosure of withholding information
• Direct deposit information
• Employment reprimands or termination

As mentioned, organization-wide ramifications from threat actors gaining access to user work account(s) include, but are not limited to:

• Stolen/disseminated company information/secrets
• Disclosure of PII of other employees
• Exfiltrated financial records
• Stolen user/client/customer data
• Espionage
• Intellectual property theft

Step 9: Accounts with address information and payment information

While any merchant or online retailer account can have this information, this section is more dedicated to accounts such as Uber, Amazon, or Doordash. In addition to address and payment information, if breached, these type of accounts may allow a malicious actor access to other information such as:

• Order history
• Delivery history
• Location history
• Contact information

Generally, where possible, in the interest of privacy and minimizing the data leaked in event of a retailer data breach, it’s not recommended for users to save addresses/payment information in established accounts.

For online retailers, stores, or merchants where users do not frequent, it’s generally recommended to delete these accounts. While this may not necessarily erase order history as stored by the merchant, this reduces the amount of accounts for users to keep track of; in other words, users would be scaling down their attack surfaces.

Methods for finding more accounts

There are many more accounts any given user may have that isn’t explicitly covered in this guide. However, it’s still important to ensure these accounts aren’t using weak passwords, passwords exposed in data breaches, or recycling/reusing passwords.

For unneeded or unused accounts, it is highly recommended for users to delete these accounts to further reduce the amount of accounts to manage; as previously mentioned, this reduces “attack surface” in regards to malicious account breaches and takeovers.

Search email inboxes

Most of us live our lives in our inboxes - and in many cases this means we don’t necessarily delete emails. Upon creating an account just about anywhere on the internet, it’s likely you received at least one message from that web app or service about said created account.

Here are some helpful search terms ideas:

• “Account confirmation”
• “Welcome Your name “
• “Email confirmation”
• “Finish registration”

Chances are you’ve forgotten a login credential - whether a username or a password - for some of your more elusive accounts as well. This is also a viable search opportunity as you can search terms like:

• “Reset link”
• “New password”
• “Password reset”

iOS and macOS users: Review accounts in the “Keychain”

iOS and macOS have a built-in credential manager (password manager), “Keychain.” While using Keychain isn’t exactly recommended here at avoidthehack due to its closed-source nature and limited flexibility, we understand some users may have used Keychain at some point in the past.

Keychain may store old accounts the user may have forgotten about, especially as the user transitions to another password manager. The iCloud Keychain can be viewed from the iOS settings app.

Android (and Google account users): Check the Google password manager

Especially on the stock, Google-flavored Android, when users are signed into their Google accounts, the Google password manager can automatically capture and store login information for various websites and apps. Frequently, the Google password manager captures passwords for old apps or forgotten accounts.

Google password manager can prove a valuable repository of older and forgotten online accounts - this is especially true if users have multiple Google accounts or have switched to a non-Android alternative such as iOS.

Search breach databases

Breach databases often house information on email addresses and password hashes/plaintext equivalents leaked in past data breaches. In most cases, these breach databases can be easily searched; usually a user will be required to input an email address to check against various breach databases or pastes.

Common and reputable breach databases include:

• Have I Been Pwned
• Dehashed

Searching breach databases can be useful for uncovering old, long abandoned or “dead” accounts that may have been involved in past data breaches. In some cases, users may opt to contact the web service/app/or website where these accounts live for account deletion.

Final thoughts

More than likely, there are account categories not covered in this guide. It’s important to understand different users have many different types of online accounts for any number of reasons - therefore, it’s near impossible to cover every account type in this guide.

Hopefully, most users will find this guide helpful in “triaging” or prioritizing or even finding/remembering accounts to change the password to a unique and strong password and add to their password managers.

Stay safe out there!