If your passwords live in a text file, a Word doc, a sticky note, or a OneNote page, this post is for you.
I have worked in IT for over 35 years. In that time I have seen passwords stored in every wrong way you can think of. Spreadsheets on shared drives. Text files on desktops. Sticky notes on monitors. A Word doc called “passwords.docx” sitting in someone’s Documents folder. Every single one of those is a breach waiting to happen.
The fix is simple. Use a password manager. It does not matter which one. What matters is that your passwords are stored in an encrypted database, not in plain text.
What a Password Manager Actually Does
A password manager stores your passwords in an encrypted database file. You unlock it with one master password. Everything inside is encrypted at rest, which means if someone gets the file, they cannot read it without the master password.
Most password managers also:
- Generate strong, random passwords for each account
- Auto-fill login forms so you do not have to remember anything
- Sync across devices (if you want that)
- Support two-factor authentication entries
The Options
I am not here to sell you on one specific tool. These are all solid options:
- KeePass Local, offline, open source. The encrypted database is a single file you control. Good for teams that want to store the vault on a locked down shared drive.
- 1Password Cloud synced, polished UI, good for families and teams. Paid subscription.
- ProtonPass Privacy focused, end-to-end encrypted, from the same team behind ProtonMail. Free tier available.
- LastPass Cloud synced, widely used. Has had security incidents in the past, but still uses encrypted vaults.
Pick what fits your workflow. The important part is the encryption, not the brand.
Keep Work and Personal Separate
Do not store work passwords and personal passwords in the same database. If one is ever breached, you do not want both compromised at the same time.
For work, I use KeePass. The encrypted database sits on a locked down shared drive that only management can access. For personal and professional use, I use ProtonPass. Two separate vaults, two separate risk profiles.
This is a small habit that makes a big difference if something goes wrong.
How to Share a Password Safely
Sometimes you need to send someone a password. When that happens, never put the username and password in the same message.
Send the username through one channel (email or chat). Send the password through a different channel (text message or phone call). This applies to temporary passwords, one-time codes, and permanent credentials. The two pieces should never travel together.
If your team uses a shared password vault (like a KeePass database on a locked down drive), that is even better. The password never leaves the encrypted database at all.
What You Should Do Right Now
- Pick a password manager. Any of the ones listed above will work.
- Move your passwords out of plain text and into the encrypted vault.
- Delete the old text files, spreadsheets, and sticky notes.
- Set up separate databases for work and personal.
- Start generating random passwords for new accounts instead of reusing old ones.
It takes about 30 minutes to get set up and move your most important accounts over. After that, it is just part of the routine.