Today, the average internet user will have accounts on *dozens* if not *hundreds* of websites. Everything from Google, Microsoft and Amazon, to more niche specialities like Reddit or Facebook, down to individual shopping websites, or that one book website they signed up to five years ago and haven’t used since.

Since your online presence is so large that most people won’t remember thousands of completely unique passwords, there are basically three options for password management.

**1. Use the same password.**

This is terrible practice. If that one cookbook website you signed up to five years ago is compromised by hackers (e.g. they didn’t update to fix the latest known vulnerability within a week or two), they could access your password from this less-secure site and then use it to gain access to all of your secure websites. Clearly, this is a terrible plan.

**2. Use variations on a Password.**

This way, you can remember most of it, but change it a little. Whether that’s adding a number on the end, or tweaking the capitalisation, or adding a bit of the website or your favourite food or… Whatever else. These aren’t quite as “free” as option 1 (so it is better), but they are still very easy to guess. Many nefarious actors might take your email address and password and try it on a few dozen websites, varying numbers etc. in it. If they can find just one that works, they can easily start to break your “formula”; but even easier than that – if two of the websites you’ve ever made passwords for break, suddenly the hacker has access to both passwords and can start to see what formula you use. Suddenly the range of probably passwords goes from the tens of thousands often down to the tens or the hundreds. Breaking into these websites then becomes trivial – so this isn’t actually much safer than option #1, since this will fail eventually.

**3. Use unique passwords for each website (and write them down).**

Given that we now know that we need completely unique passwords for every website, it suddenly becomes very difficult to keep track of them all. This basically requires writing them down – either physically on paper, or digitally. Physical paper can be lost or stolen and now opens an entirely new avenue of attack, but writing them in a plain, unencrypted text document may be even worse. Now if someone goes snooping on your computer, they immediately have access to all of your accounts. Ideally then, you’d encrypt the master password list with a password that only you know. Now finding it requires the password and providing it hasn’t been used elsewhere, that password should be safe.

—

A password manager is sort of like using an encrypted text document, only it’s maintained better in a much safer way. Without getting into too many technical details, opening most files on your computer leaves almost a “ghost image” in memory. Someone who knows what they are doing may be able to access documents you’ve had open, even if they were encrypted because your computer had to unenceypt them at some point so you can read them. Most password manager software tries to bypass most of these common risks while also giving you nice features like synchronising between devices and automatically generating more secure passwords than a human ever could.