Password manager setup

{{whyLabel}}: Bitwarden is the leading open-source recommendation for 2025 due to its zero-knowledge encryption, cross-platform sync, and robust free tier.

{{howLabel}}:

• Go to the official website or app store.
• Choose the 'Free' plan unless you specifically need file attachments or built-in TOTP (Premium).
• Avoid proprietary browser-only managers which lack system-wide security.

{{doneWhenLabel}}: The Bitwarden account is registered.

{{whyLabel}}: Your master password is the only key to your digital life; it must be unguessable but memorable.

{{howLabel}}:

• Use the 'Diceware' method: pick 4-5 random, unrelated words (e.g., 'Correct-Horse-Battery-Staple').
• Avoid personal info, dates, or common phrases.
• Ensure it is at least 15-20 characters long.

{{doneWhenLabel}}: A unique passphrase is created and memorized.

{{whyLabel}}: This prevents access even if your master password is stolen.

{{howLabel}}:

• Navigate to Settings > Security > Two-step login.
• Use an authenticator app like 'Aegis' (Android) or 'Ente Auth' (iOS/Desktop).
• Scan the QR code and verify the setup.

{{doneWhenLabel}}: 2FA is active for vault login.

{{whyLabel}}: If you lose your master password or 2FA device, this key is the only way to regain access.

{{howLabel}}:

• Go to the 2FA settings and select 'View Recovery Code'.
• Write it down physically or print it.
• Store it in a physical safe or a locked drawer.

{{doneWhenLabel}}: The recovery key is stored in a secure physical location.

{{whyLabel}}: Extensions enable auto-fill and capture new passwords as you create them.

{{howLabel}}:

• Install the extension for your primary browser (Chrome, Firefox, or Brave).
• Log in and pin the extension to your toolbar.
• Configure 'Vault Timeout' to 'On Browser Restart' or a specific time for security.

{{doneWhenLabel}}: The extension icon is visible and logged in.

{{whyLabel}}: Provides access to passwords on the go and enables auto-fill within mobile apps.

{{howLabel}}:

• Download the app from the iOS App Store or Google Play Store.
• Enable 'Auto-fill Services' in the app settings and your phone's system settings.
• Enable Biometric Unlock (FaceID/Fingerprint) for convenience.

{{doneWhenLabel}}: The app is installed and auto-fill is functional on the smartphone.

{{whyLabel}}: Browsers are less secure than dedicated managers and having two systems causes conflict.

{{howLabel}}:

• Go to Browser Settings > Passwords.
• Toggle 'Offer to save passwords' to OFF.
• Toggle 'Auto Sign-in' to OFF.

{{doneWhenLabel}}: The browser no longer asks to save passwords.

{{whyLabel}}: Your email is the 'keys to the kingdom' because it allows password resets for all other services.

{{howLabel}}:

• Log into your email provider (Gmail, Outlook, etc.).
• Change the password to a 20+ character random string generated by your manager.
• Ensure 2FA is enabled on the email account itself.

{{doneWhenLabel}}: Email password is updated in the vault and on the provider's site.

{{whyLabel}}: Financial accounts have the highest direct impact if compromised.

{{howLabel}}:

• Visit each banking and investment site.
• Use the manager's generator to create unique passwords.
• Save the new credentials in the vault before clicking 'Submit' on the website.

{{doneWhenLabel}}: All financial accounts have unique, manager-generated passwords.

{{whyLabel}}: These accounts are frequently targeted for identity theft and phishing.

{{howLabel}}:

• Update passwords for WhatsApp (Web), Facebook, Instagram, and LinkedIn.
• Prioritize accounts that contain sensitive personal data.

{{doneWhenLabel}}: Core social media accounts are secured in the vault.

{{whyLabel}}: These contain highly sensitive PII (Personally Identifiable Information).

{{howLabel}}:

• Identify portals for taxes, health insurance, and local government.
• Update to complex passwords and enable any available multi-factor authentication.

{{doneWhenLabel}}: Government and health accounts are migrated.

{{whyLabel}}: To centralize your data and identify which accounts need updating.

{{howLabel}}:

• Export passwords from Chrome/Firefox as a .csv file.
• Import the .csv into Bitwarden's web vault.
• Crucial: Delete the .csv file permanently from your computer immediately after.

{{doneWhenLabel}}: All legacy passwords are visible in the manager.

{{whyLabel}}: Reusing passwords is the #1 cause of account takeovers via credential stuffing.

{{howLabel}}:

• Use the 'Reports' feature in the manager (Bitwarden Web Vault > Tools > Reports).
• Identify every account using a duplicate password.

{{doneWhenLabel}}: A list of accounts requiring password changes is generated.

{{whyLabel}}: Eliminates the risk of one breach affecting multiple accounts.

{{howLabel}}:

• Work through the 'Reused Password' list.
• Change each one to a unique, 16+ character random string.
• Aim for 5-10 accounts per day to avoid fatigue.

{{doneWhenLabel}}: The 'Reused Password' report shows zero or minimal entries.

{{whyLabel}}: Leaving passwords in the browser is a security risk if your device is accessed.

{{howLabel}}:

• Go to Browser Settings > Clear Browsing Data.
• Select 'Advanced' and check 'Passwords and other sign-in data'.
• Set time range to 'All time' and clear.

{{doneWhenLabel}}: The browser's internal password store is empty.

{{whyLabel}}: Ensures a trusted person can access your vault in case of an emergency or death.

{{howLabel}}:

• Go to Settings > Emergency Access.
• Invite a trusted contact (they need their own Bitwarden account).
• Set a 'Wait period' (e.g., 7 days) before they are granted access.

{{doneWhenLabel}}: An emergency contact is invited and confirmed.

{{whyLabel}}: Security is a process, not a one-time event.

{{howLabel}}:

• Create a recurring calendar event every 3 months.
• Task: 'Check Data Breach Report and update weak passwords'.

{{doneWhenLabel}}: A recurring reminder is active in your calendar.

{{whyLabel}}: To ensure you don't forget the passphrase over time.

{{howLabel}}:

• Log out of all Bitwarden instances.
• Manually type the passphrase to log back in.
• Do this once a week for the first month.

{{doneWhenLabel}}: Successful login without checking the physical backup.