> I’m really hesitant to use one because I feel like if someone gets access to it then my entire life would be exposed

This is true. As with most things in life, you have to make compromises, and in this case, you’re trading strong passwords everywhere else against a single point of failure protecting everything else.

Something like Lastpass, for example, helps you by operating on a zero-knowledge model: they do not and cannot know your master password. They don’t store it anywhere on their servers; all they store is the encrypted data. Sure, an attacker could breach Lastpass and get that data, but it wouldn’t do them any good without a way to decrypt it, and since Lastpass doesn’t store your master password and encrypts its data with industry-leading technology, it could take, and I swear to you this is a real result:

27 trillion trillion trillion trillion trillion years

for a single computer to break a single piece of Lastpass’ encrypted data.

Adding a thousand computers of similar spec….wouldn’t help much. Divide that number by a thousand, you still have trillions on trillions of years.

Use a strong master password, and you’ll be fine. Just make sure you don’t forget it, because a consequence of zero-knowledge is that Lastpass *cannot* help you if you forget it.

Great answers by others. Summarized:

– **Separate passwords for each and every account.** So when one gets compromised, that’s the only one. (Lots of people reuse passwords, and don’t notice when an account they last used 6 years ago gets compromised, so they don’t know that all their other current accounts are compromised too.)
– **Long, complex passwords** – extraordinarily hard to brute force and not likely to be in a rainbow table. You don’t ever have to remember them or type them in, and you don’t have to make them up, because the password manager handles all that for you.
– **Pure secret passwords.** Because you didn’t make the passwords, you didn’t memorize them, and you don’t type them, they couldn’t even be tortured out of you. Which means you also can’t reveal them while drunk, or sleeptalking, or whatever.
– **Securely encrypted** using the latest state-of-the-art encryption so even if someone gets a copy of your password vault, they can’t get in without your key.

– **The key is key.** Of course, you need a good lengthy memorable key phrase, many words, ideally not a common phrase, and with a personal twist or additions. But it’s relatively easy to make one of those that’s 12+ words plus numbers or whatever, and which you will always remember. The key is also useless without the vault – someone needs access to both to use it.

Drawbacks:

– **Single store.** If *you* lose access to the vault, you lose access to all your accounts. Therefore, you must keep backups, preferably in multiple locations.
– **Key required.** If you forget the key, you lose access to all your accounts. Therefore, you need to make it memorable. Maybe write it and put it in a secure physical location just in case, but don’t label it, so that anyone who finds it won’t know to look for the vault.

TLDR: Using password managers promotes best practices that increase your password security by allowing you to choose impossible to crack passwords and secure them by only one password. Good analogy is having all your eggs in one basket and putting that basket in a secured locker in a Bank.

This is a bit divergent but necessary to understand the argument.

You need to understand how passwords are stored by the website. In modern applications no one stores the passwords in plain-text (which means storing the password as-is). The websites will store a hash (hash is a value derived from your password). Hashing a password is one-way-street. You can not find out the password from the hash.

Now you may ask how the passwords get leaked? Now there are some fellows out there who have precomputed hashes of all the common passwords. Such a dictionary of passwords and their hashes is called rainbow table. Now if you have access to this list then you can lookup the hash in the list to get the password. Now there are ways to delay this but someone adamant can still find your password.

Now the passwords which are easy to remember like cool-hack-123 are easy to remember but are also easy to crack. And the passwords which are difficult to hack are impossible to remember on scale (by scale I mean there are hundreds of passwords that need to be remembered). So people resort to using the same difficult password everywhere and trust the websites to keep their servers safe. Now doing this means that if one of the websites leaks the data and someone finds your password then your accounts where you used same password are at risk.

The only way to mitigate this is to use different difficult passwords. Which is possible but impractical because the day you forget one password you will set it to something you can remember. This is where the password managers come in. These applications use state of the art security algorithms and processes to store your password information. They take over the job of remembering passwords. Once you start using them you are not bound by any limitations on password selection. You can select an Uber random 24 character password and rest assured that it will be there when you need it.

There are algorithms like AES which when used with 256 bit keys are proven to get eons to crack. There is a public key infrastructure which can be employed to verify authenticity of the data and securely communicate it without sharing the passwords used for encryption. Now these services have best cryptographic minds working for them who have carefully selected the tools (from an arsenal of time tested algorithms) to secure customer information.

I’m guessing you’re talking about password managers?

You don’t have to fully trust them, you can always [salt your important passwords](https://passwordbits.com/salting-passwords/).

The password for the website: **FhGrurf?>e4bacon**

The password you keep in your password manager: **FhGrurf?>e4**

Bacon is the salt, enter it before you sign in. This way if someone got in your password manager they would not know the whole password.