system.exposed
Guides

Stop Memorizing Passwords: A Password Manager + Passkeys Setup

The single highest-leverage hour you can spend on your own security. A practical, vendor-neutral walkthrough you can finish today.

system.exposed · · 2 min read

If you do one thing for your security this month, make it this. A password manager plus passkeys neutralizes the most common ways ordinary people get hacked: reused passwords, phishing, and credential stuffing. Here’s the whole setup, start to finish.

Step 1 — Pick a password manager

Any reputable one beats your memory and your browser’s half-baked vault. Good open-source options:

  • Bitwarden — open-source, free tier is genuinely usable, self-hostable.
  • KeePassXC — fully offline, you own the encrypted file.

Pick one. The “best” manager is the one you’ll actually use on every device.

Step 2 — Set a strong master password

This is the one password you still memorize. Make it a passphrase — four or more random words — not a tortured P@ssw0rd!:

correct-harbor-velvet-thunder-92

Long and memorable beats short and cryptic. Write it on paper, store it somewhere physically safe, and never reuse it anywhere.

Step 3 — Turn on two-factor for the vault itself

Your vault is now the keys to the kingdom. Protect it with a second factor — a hardware key (YubiKey) or an authenticator app. If your vault falls, everything falls, so this step is non-negotiable.

Step 4 — Migrate, then rotate

  1. Import existing logins (every manager has a browser-import flow).
  2. Run the built-in security audit — it flags reused and weak passwords.
  3. Work the list worst-first. For each site, generate a fresh 20+ character random password and let the manager remember it.

Don’t try to fix all 200 accounts in one sitting. Do your email, banking, and primary cloud accounts today — those are the ones that unlock everything else.

Step 5 — Adopt passkeys where offered

A passkey replaces the password entirely with a cryptographic key pair bound to the website. The private key never leaves your device, and there’s nothing to type, phish, or leak. When a site offers “Sign in with a passkey,” take it:

  • It can’t be phished — the key only works on the real domain.
  • There’s no shared secret to steal in a breach.
  • Your password manager (or phone/OS) syncs it across devices.

Major platforms — Google, Apple, Microsoft, GitHub — already support them. Each one you enable is a login that becomes effectively un-stealable.

The 15-minute version

Short on time? Do exactly this:

  1. Install Bitwarden, set a passphrase master password.
  2. Add 2FA to the Bitwarden account.
  3. Change your email password to a generated one.
  4. Enable a passkey on your email and primary accounts.

That alone puts you ahead of the overwhelming majority of breach victims. Come back later for the rest.

Starter content shipped with the site — edit or replace freely.

passwordspasskeyspassword-managerbeginnersmfa

Newsletter

Liked this? Get the weekly digest.

One email a week. The breaches that matter, the fixes that work, and the deep dives worth your time. No trackers, no spam, unsubscribe anytime.

⚙ Newsletter not yet wired. Set PUBLIC_LISTMONK_URL and PUBLIC_LISTMONK_LIST_UUID in your environment, then this form goes live. See SETUP.md.

← More guides