Password manager setup

Why: Bitwarden is the leading open-source recommendation for 2025 due to its zero-knowledge encryption, cross-platform sync, and robust free tier.

How:

• Go to the official website or app store.
• Choose the 'Free' plan unless you specifically need file attachments or built-in TOTP (Premium).
• Avoid proprietary browser-only managers which lack system-wide security.

Done when: The Bitwarden account is registered.

Why: Your master password is the only key to your digital life; it must be unguessable but memorable.

How:

• Use the 'Diceware' method: pick 4-5 random, unrelated words (e.g., 'Correct-Horse-Battery-Staple').
• Avoid personal info, dates, or common phrases.
• Ensure it is at least 15-20 characters long.

Done when: A unique passphrase is created and memorized.

Why: This prevents access even if your master password is stolen.

How:

• Navigate to Settings > Security > Two-step login.
• Use an authenticator app like 'Aegis' (Android) or 'Ente Auth' (iOS/Desktop).
• Scan the QR code and verify the setup.

Done when: 2FA is active for vault login.

Why: If you lose your master password or 2FA device, this key is the only way to regain access.

How:

• Go to the 2FA settings and select 'View Recovery Code'.
• Write it down physically or print it.
• Store it in a physical safe or a locked drawer.

Done when: The recovery key is stored in a secure physical location.

Why: Extensions enable auto-fill and capture new passwords as you create them.

How:

• Install the extension for your primary browser (Chrome, Firefox, or Brave).
• Log in and pin the extension to your toolbar.
• Configure 'Vault Timeout' to 'On Browser Restart' or a specific time for security.

Done when: The extension icon is visible and logged in.

Why: Provides access to passwords on the go and enables auto-fill within mobile apps.

How:

• Download the app from the iOS App Store or Google Play Store.
• Enable 'Auto-fill Services' in the app settings and your phone's system settings.
• Enable Biometric Unlock (FaceID/Fingerprint) for convenience.

Done when: The app is installed and auto-fill is functional on the smartphone.

Why: Browsers are less secure than dedicated managers and having two systems causes conflict.

How:

• Go to Browser Settings > Passwords.
• Toggle 'Offer to save passwords' to OFF.
• Toggle 'Auto Sign-in' to OFF.

Done when: The browser no longer asks to save passwords.

Why: Your email is the 'keys to the kingdom' because it allows password resets for all other services.

How:

• Log into your email provider (Gmail, Outlook, etc.).
• Change the password to a 20+ character random string generated by your manager.
• Ensure 2FA is enabled on the email account itself.

Done when: Email password is updated in the vault and on the provider's site.

Why: Financial accounts have the highest direct impact if compromised.

How:

• Visit each banking and investment site.
• Use the manager's generator to create unique passwords.
• Save the new credentials in the vault before clicking 'Submit' on the website.

Done when: All financial accounts have unique, manager-generated passwords.

Why: These accounts are frequently targeted for identity theft and phishing.

How:

• Update passwords for WhatsApp (Web), Facebook, Instagram, and LinkedIn.
• Prioritize accounts that contain sensitive personal data.

Done when: Core social media accounts are secured in the vault.

Why: These contain highly sensitive PII (Personally Identifiable Information).

How:

• Identify portals for taxes, health insurance, and local government.
• Update to complex passwords and enable any available multi-factor authentication.

Done when: Government and health accounts are migrated.

Why: To centralize your data and identify which accounts need updating.

How:

• Export passwords from Chrome/Firefox as a .csv file.
• Import the .csv into Bitwarden's web vault.
• Crucial: Delete the .csv file permanently from your computer immediately after.

Done when: All legacy passwords are visible in the manager.

Why: Reusing passwords is the #1 cause of account takeovers via credential stuffing.

How:

• Use the 'Reports' feature in the manager (Bitwarden Web Vault > Tools > Reports).
• Identify every account using a duplicate password.

Done when: A list of accounts requiring password changes is generated.

Why: Eliminates the risk of one breach affecting multiple accounts.

How:

• Work through the 'Reused Password' list.
• Change each one to a unique, 16+ character random string.
• Aim for 5-10 accounts per day to avoid fatigue.

Done when: The 'Reused Password' report shows zero or minimal entries.

Why: Leaving passwords in the browser is a security risk if your device is accessed.

How:

• Go to Browser Settings > Clear Browsing Data.
• Select 'Advanced' and check 'Passwords and other sign-in data'.
• Set time range to 'All time' and clear.

Done when: The browser's internal password store is empty.

Why: Ensures a trusted person can access your vault in case of an emergency or death.

How:

• Go to Settings > Emergency Access.
• Invite a trusted contact (they need their own Bitwarden account).
• Set a 'Wait period' (e.g., 7 days) before they are granted access.

Done when: An emergency contact is invited and confirmed.

Why: Security is a process, not a one-time event.

How:

• Create a recurring calendar event every 3 months.
• Task: 'Check Data Breach Report and update weak passwords'.

Done when: A recurring reminder is active in your calendar.

Why: To ensure you don't forget the passphrase over time.

How:

• Log out of all Bitwarden instances.
• Manually type the passphrase to log back in.
• Do this once a week for the first month.

Done when: Successful login without checking the physical backup.