Fair question.

The typical worry about a password manager is that you have **all your eggs in one basket**. There are a few ways to look at this, so I’ll do my best to look at it from different angles:

**First off and by far the most important: Password managers protect your from the most significant digital security risks which are Major Breaches, Password Stuffing, and Brute-Force-Style Attacks**.

Major breaches happen. When they do, the data leaked is hopefully encrypted, but in too many cases it turns out the company didn’t have *any* security at all and they leak plaintext passwords.

When leaked data is encrypted, depending on the method of encryption, a hacker can employ a form of brute force to solve for some or even *all* of the password combinations in the breach. Many breaches are happening specifically because companies are too lax with their security. More on that in a minute.

Once hackers have plaintext passwords and their corresponding usernames (often email addresses), they can start **Password Stuffing**. This is the practice of just trying the password everywhere. Have you ever found a key that’s not labelled in your home/office, and in order to learn what it’s for you just tried it in every lock around the house? Yep, that’s password stuffing.

If they get <email address> and password123 from the password breach at Armor Games, they can stuff that combination into 1000 different bank and investment sites, social media, email services etc. They can do this in seconds. If they do this with a list of 2000 passwords, they’ll get into at least 20 services somewhere, simply because *people reuse their passwords*. God forbid they get into an email account. Email accounts are how a vast majority of other accounts let you confirm your identity and reset passwords. Get into email, mine the email for “bank”, learn which banks they use, then go reset their passwords.

This makes breaches very scary for people who reuse passwords, because a single breach can cascade into many points of failure.

Password managers protect you from this by helping you set up a different password for every service you have and will ever use. Someone could hack my reddit account and no amount of password stuffing would get them anywhere. All I need to do is change my reddit password again to re-secure myself. I never have to worry that my other accounts have the same or similar passwords.

Brute force attacks are another method of getting into accounts, but are more focused on specific accounts. Password managers let you build *strong* passwords that are nearly impossible to brute force.

Imagine a company leaks 10M email+password combinations, and one of them is mine. A brute force attack will reveal all the weak passwords. My strong password is safe though. If they used poor security, then they might be able to crack the encryption itself and essentially reveal ALL the passwords. In this case, my password isn’t safe but it’s not really my fault. A password manager couldn’t have prevented that. However, if I learn about this quickly, I can just go change that password and I’m secure *everywhere* again.

If that company were my bank, I’d hope they don’t use outdated encryption, but that’s all I can hope. At the very least, my password is among the hardest to crack there.

**Companies get breached, it’s the way of the world. But a password manager is less likely to have a breach, and when they do it’s more likely to be sufficiently encrypted data**

A password manager’s business is security. It’s their specialty, and their number 1 priority. A security failure means a loss of business, because security is the only real product they offer. If a gas station suddenly lost their gas supply, they’re not staying afloat.

**It’s not that hard to make up a memorable, secure password.**

[Here is a great video by Computerphile](https://www.youtube.com/watch?v=3NjQ9b3pgIg) describing how to choose a password and a bit about how password managers work. Additionally, [here is the famously relevant XKCD comic](https://xkcd.com/936/).

*correcthorsebatterystaple* itself is not secure anymore since it’s popular, but XKCD’s method of building a password is going to be your BEST bet for making a highly secure password. Computerphile adds in an extra tidbit (I think in that video, but maybe in a previous one), that simply adding (not substituting) a special character *inside* one of the words makes it effectively uncrackable.

E.g. correcthorsebatt&erystaple *I would memorize this as correct horse batt-and-ery staple.*

If you’ve got a password that’s 20+ characters, 4+ distinct words not including words like and, the, is, etc., and you haven’t used it anywhere else ever, then it’s safe. A computer cannot brute-force it. It cannot employ a concatenating dictionary attack (combining random english words in brute force style), and it’ll *never* have a rule that adds in random special characters where they wouldn’t make sense to swap in.

While a password of 26 truly random characters would be better than a few words, you also just won’t remember it.

Your only real risk at this point is someone finding out your exact password somehow, which brings us to the next point.

**The real risk of a password manager is a targeted attack.**

If someone gets your master password, you could be in some trouble. There are ways to protect yourself here too though.
If you’re ever suspicious, change your master password. Doing this too often gets confusing, but don’t avoid it just because it’s tough.
Password managers can be used alongside an 2FA authenticator as well. That way the only way to get in on a new device is to authenticate. Which means they need to steal your phone too, or steal your key.

The real risk is someone spying over your shoulder or installing a keylogger on your device.
To be fair though, that’s a risk with any type of password/PIN login. Any time you punch in a password, you’re at risk. In fact, I’d argue that a password manager still helps here because you only need to protect yourself while typing one password. The rest you autofill without ever looking at.