How NOT to Use a Password Manager (And Turn Security Into a Panic Hobby)

How NOT to Use a Password Manager (And Turn Security Into a Panic Hobby)

Password managers are supposed to make your life easier. But there is a special kind of person (you, me, all of us) who can turn any helpful tool into a stressful project.

Welcome to How NOT to Use a Password Manager: the classic mistakes that create chaos—followed by a setup that actually works, even if you’re not “a security person.”

1) Use the same master password you’ve used since 2012

Ah yes, the timeless classic: Password123! but with emotional attachment.

Do this instead: make the master password long. A phrase works: four-to-six random words is a decent baseline. And yes: write it down once and store it safely until it sticks.

2) Don’t enable 2FA because it’s “annoying”

2FA is annoying. Getting your email hijacked is also annoying, but with more paperwork.

Do this instead: enable 2FA on your top targets: email, banking, social media. Use an authenticator app where possible.

3) Import everything and never clean it

Now you have 600 entries including “site (old)” and “site (older)” and “site (do not delete)”—and you still can’t log in.

Do this instead: do a 20-minute cleanup:

  • Delete duplicates
  • Merge accounts that are the same site
  • Update your top 20 most-used logins first

4) Keep weak passwords because “it’s fine”

It’s not fine. It’s just untested.

Do this instead: change passwords in order of impact:

  • Email (your “root account”)
  • Banking / payment apps
  • Social accounts
  • Anything with saved cards

5) Save everything… except recovery info

The password manager isn’t magic if you lose access to it and your recovery method is “panic.”

Do this instead: store recovery codes and backup methods. Make sure you can recover your email account. That’s the real keystone.

6) Treat security like a hobby you do once a year

Security isn’t a single heroic weekend. It’s boring maintenance.

Do this instead: set a monthly reminder: update 3 passwords + check breach alerts.

Common ways people accidentally lock themselves out

  • New phone + no backup codes
  • 2FA tied to an old number you don’t have
  • Master password “changed for security” and then forgotten

Do this instead: keep backup codes in the vault (and one offline copy), and make sure at least one recovery path doesn’t rely on a single device.

A fast setup checklist (20 minutes)

  • Minute 1–5: Create master password, enable 2FA for the manager.
  • Minute 6–10: Add email + banking + one social account. Turn on 2FA there too.
  • Minute 11–15: Save recovery codes somewhere safe.
  • Minute 16–20: Install the browser extension and test one login.

How NOT to share passwords

If you copy passwords into a chat message, congratulations: you invented a time bomb.

Do this instead: use the password manager’s sharing feature (or a secure note). If you must send something, send a one-time code or temporary access, not the password itself.

Password manager pro tip (that isn’t annoying)

Turn on auto-lock (short timeout) and biometric unlock if your device supports it. It’s the rare security feature that makes your life easier, not harder.

Mini FAQ

  • “What if the password manager gets hacked?” Your risk is still lower than reusing passwords everywhere. Unique passwords + 2FA wins.
  • “Can I just use my browser?” Better than nothing, but dedicated managers handle sharing, recovery, and auditing better.
  • “Do I need to change every password today?” No. Start with email + banking, then work outward.

Conclusion

A password manager isn’t about becoming paranoid. It’s about becoming boringly safe.

If your money also vanishes in mysterious ways, How NOT to Save Money will feel oddly familiar. And if stress is keeping you up at night, How NOT to Meditate is a surprisingly good companion piece.

Related articles

How Not to Build a Website (That Actually Loads)

How Not to Build a Website (That Actually Loads)

How Not to Use AI

How Not to Use AI