← Back to Blog

Password Management for People Who Think It's Too Complicated

9 min read
securitysystemsdigitalorganisation

Password managers are secure. They're also intimidating if you've never used one.

Here's a practical system that actual humans can follow.

The Reality

You have too many passwords. You reuse passwords. You use weak passwords.

This is normal. It's also fixable without becoming a security expert.

The Two-Tier Password System

Not all accounts need the same security level.

Tier 1: Critical Accounts (Unique, Strong, Managed)

These can destroy your life if compromised.

Accounts:

  • Email (primary)
  • Banking
  • Any account that can access your money
  • Any account that can reset other accounts
  • Work accounts with sensitive data

Requirements:

  • Unique password (never reused)
  • Strong password (12+ characters, random)
  • Two-factor authentication enabled
  • Stored in password manager

Number of accounts: Usually 5-10

Tier 2: Everything Else (Can Reuse, Less Critical)

These would be annoying if compromised but not devastating.

Accounts:

  • Shopping sites
  • Social media
  • Forums
  • Subscriptions
  • Games
  • Most apps

Requirements:

  • Different password from Tier 1
  • Can reuse across Tier 2 accounts
  • Decent password (not "password123")

Number of accounts: Potentially hundreds

This isn't perfect security. It's realistic security.

The Password Manager Choice

You need one. Pick the simplest option for your situation.

Option 1: Browser-Based (Free, Simple)

Built into:

  • Chrome
  • Safari
  • Firefox
  • Edge

Pros:

  • Already installed
  • Free
  • Auto-fills passwords
  • Works across devices if you sign in

Cons:

  • Less secure than dedicated managers
  • Limited features
  • Tied to browser

Best for: People who use one browser consistently, basic needs

Option 2: Dedicated Password Manager (Free Tier)

Options:

  • Bitwarden (free, open source)
  • 1Password (£3/month, user-friendly)
  • Dashlane (free for 50 passwords)

Pros:

  • More secure
  • Works across all browsers
  • Better organisation
  • Security reports

Cons:

  • Need to install
  • Learning curve
  • May cost money for full features

Best for: People serious about security, multiple devices

Option 3: Apple Keychain (Free, Apple Only)

Built into:

  • Mac
  • iPhone
  • iPad

Pros:

  • Excellent integration
  • Very secure
  • Completely free
  • Easy to use

Cons:

  • Apple ecosystem only
  • Limited if you use Windows/Android

Best for: Apple users who stay in ecosystem

Setting It Up (1 Hour, One Time)

This is tedious. Do it once, benefit forever.

Step 1: Choose Your Password Manager (5 minutes)

Based on criteria above, pick one.

Recommendation for most people:

  • Apple users: Apple Keychain
  • Everyone else: Browser password manager or Bitwarden

Don't overthink this. Any password manager is better than none.

Step 2: Install and Set Up Master Password (10 minutes)

You need one very strong master password. This is the only password you'll memorize.

Creating a strong master password:

Use a passphrase (easier to remember than random characters):

Bad: "password123" Better: "MyDog1sC@lledMax" Best: "correct-horse-battery-staple-7845"

Four random words + numbers = secure and memorable.

Write it down:

  • Yes, physically write it
  • Keep in secure location (safe, locked drawer)
  • Don't keep digitally anywhere
  • You're allowed to write down your master password

Set up password manager:

  • Install app/extension
  • Create account
  • Set master password
  • Enable biometrics if available (fingerprint/face)

Step 3: Identify Tier 1 Accounts (5 minutes)

List your critical accounts:

  • Primary email
  • Banking apps (all of them)
  • PayPal/payment services
  • Any financial accounts
  • Work email/systems

Usually 5-15 accounts total.

Step 4: Change Tier 1 Passwords (30 minutes)

For each Tier 1 account:

  1. Go to account settings
  2. Find "Change Password"
  3. Use password manager to generate new password
    • 16+ characters
    • Random (let the manager create it)
    • Save in password manager
  4. Enable two-factor authentication (2FA)
  5. Move to next account

This is tedious. Do them all in one sitting. Put on music or a podcast.

Step 5: Add Tier 2 Accounts As You Use Them (Ongoing)

Don't try to add every account right now. Add them naturally:

When logging into any site:

  • Let password manager offer to save password
  • Save it
  • Continue

Over a few weeks, you'll naturally add all regular accounts.

Using the System Daily

After setup, using it is simple.

Logging Into Websites

On computer:

  1. Go to login page
  2. Password manager auto-fills username
  3. Password manager auto-fills password
  4. Click login

Faster than typing passwords manually.

On phone:

  1. Go to login page
  2. Tap password field
  3. Biometric authentication (fingerprint/face)
  4. Password fills automatically

Creating New Accounts

When signing up:

  1. Enter username/email
  2. Password manager offers to generate password
  3. Accept generated password
  4. Save to password manager
  5. Complete signup

You never see the actual password. Don't need to.

Two-Factor Authentication

Tier 1 accounts should have 2FA enabled.

Setup 2FA:

  1. Go to account security settings

  2. Enable two-factor authentication

  3. Choose method:

    • Authenticator app (Google Authenticator, Authy) - best option
    • SMS - better than nothing
    • Email - weakest but still useful

  4. Save backup codes in password manager

Using 2FA:

  1. Log in with password (auto-filled)
  2. Enter code from authenticator app
  3. Done

Adds 5 seconds. Massively increases security.

What About Shared Accounts?

Families need to share some accounts.

Option 1: Shared Folder in Password Manager

Many password managers have family plans:

  • 1Password Families
  • Bitwarden Organizations
  • Dashlane Family

Create shared folder for:

  • Streaming services
  • Shared utilities
  • Joint accounts

Each person can access but can't export passwords easily.

Option 2: Physically Shared Master List

For couples who trust each other:

  • Shared note on phone
  • Physical notebook in safe
  • Shared secure document

Less secure but simpler than family password manager.

Common Problems and Solutions

"I forgot my master password"

This is bad. There's no recovery for most password managers.

Prevention:

  • Write it down physically
  • Keep in secure location
  • Tell trusted person where it is
  • Some managers allow recovery contacts

Don't rely on memory alone for master password.

"The password manager won't auto-fill"

Troubleshooting:

  1. Check extension is installed and enabled
  2. Check you're logged into password manager
  3. Manually copy/paste from manager
  4. Update the URL in saved password

Not all sites work perfectly with auto-fill. Manual copy works fine.

"I can't access account because I don't remember the password"

If saved in password manager:

  1. Open password manager
  2. Search for account
  3. Copy password
  4. Paste into login

If not saved:

  1. Use "Forgot Password"
  2. Reset via email
  3. Save new password in manager

"What if the password manager company shuts down?"

Export your passwords:

  1. Go to manager settings
  2. Export passwords (usually CSV file)
  3. Store export securely
  4. Import to new manager if needed

Do this annually as backup.

Security Practices That Actually Matter

Do These:

Enable 2FA on all Tier 1 accounts

  • Takes 5 minutes per account
  • Massive security increase
  • One-time setup

Use unique passwords for Tier 1

  • Let password manager generate them
  • Never reuse banking/email passwords

Keep password manager updated

  • Enable automatic updates
  • Actually install updates when prompted

Lock devices when away

  • Screen lock on phone
  • Lock computer when leaving desk
  • This protects password manager access

Don't Waste Time On These:

Changing passwords every 90 days

  • Outdated advice
  • Makes passwords weaker (people use patterns)
  • Only change if compromised

Memorizing random passwords

  • Impossible to remember properly
  • That's what the manager is for
  • Remember master password only

Avoiding browser password managers because "not secure enough"

  • They're secure enough for most people
  • Much better than reusing passwords
  • Perfect is enemy of good

The Realistic Security Model

Perfect security is impossible and impractical.

Goal: Make it hard enough that attackers move to easier targets.

This system achieves:

  • Unique passwords on critical accounts
  • Strong passwords managed automatically
  • 2FA on accounts that matter
  • Better security than 95% of people

This system doesn't protect against:

  • Targeted attacks by skilled hackers
  • Physical access to unlocked devices
  • Sophisticated phishing (but 2FA helps)

For normal people, this is sufficient.

Implementation Timeline

Week 1:

  • Day 1: Choose and set up password manager (30 min)
  • Day 2: Change email account passwords (15 min)
  • Day 3: Change banking passwords (20 min)
  • Day 4: Set up 2FA on email (10 min)
  • Day 5: Set up 2FA on banking (15 min)
  • Day 6-7: Add other Tier 1 accounts (30 min)

Week 2-4:

  • Add Tier 2 accounts as you use them
  • Get comfortable with daily usage
  • Let auto-fill do its job

After 1 month:

  • System feels natural
  • Most-used accounts are in manager
  • Logging in is faster than before

Signs You're Doing It Right

After 1 week:

  • Master password is memorized
  • Tier 1 accounts have unique passwords
  • Password manager is installed

After 1 month:

  • Auto-fill works on regular sites
  • You don't think about passwords
  • Logging in is faster than manual typing

After 6 months:

  • Can't remember individual passwords (good)
  • System is invisible
  • Security is better without thinking about it

The Hard Truth About Password Reuse

If you reuse passwords and one site gets hacked, attackers try that password everywhere.

Common scenario:

  1. Small forum gets hacked
  2. Your email/password leaked
  3. Attackers try same password on Gmail
  4. Access your email
  5. Request password resets everywhere
  6. Access banking, shopping, social media
  7. Drain accounts

This happens daily. Don't be a statistic.

The Minimum Viable System

If you only do three things:

  1. Use a password manager (browser built-in is fine)
  2. Unique passwords for email and banking
  3. Enable 2FA on email and banking

These three things cover 90% of security risk.

Everything else is optimization.

Starting Today

Right now (10 minutes):

  1. Choose password manager
  2. Install it
  3. Create master password
  4. Save it somewhere physical

This evening (30 minutes): 5. Change your email password 6. Change your banking passwords 7. Enable 2FA on both

This week (2 hours total): 8. Add remaining Tier 1 accounts 9. Set up 2FA on critical accounts 10. Start using auto-fill

Done. You're now more secure than most people.

Not perfect. But hugely better than before.

Boring. Simple. Secure enough.

Related Posts