A 1Password vault and sharing panel - the kind of central control a good password manager gives you in 2026.

1. Why use a password manager in 2026?

Three reasons, all stronger in 2026 than they were a few years ago.

Passkeys still need a manager

Passkeys are the future, but the present is messy. Some sites support them, most don't. Some apps work with iCloud Keychain or Google Password Manager only, leaving Windows or cross-platform users behind. A modern password manager handles passkeys, traditional passwords, and the long list of sites that still send you a one-time code over email - all in one place.

Breaches keep happening

Major password leaks are still routine. Every reused password is a ticking time bomb - if one site is breached, every site sharing that password is compromised. A password manager generates and stores a unique password per site, and shows you which of your existing accounts are weak or reused.

Two-factor authentication needs a place to live

TOTP codes (the rotating 6-digit numbers from Google Authenticator or Authy) are the strongest mainstream second factor outside of hardware keys. Most modern password managers store TOTP codes alongside passwords, autofill them with a click, and back them up when you change phone. That alone justifies switching from a notes app or a piece of paper.

A modern password manager handles passwords, passkeys, TOTP codes and breach monitoring in one place - the foundation of personal digital security.

2. Best password manager overall

Why it wins

• Best apps in the category - native iOS, Android, macOS, Windows, Linux clients all feel polished.
• Excellent passkey support - works as a passkey provider on iOS, Android, Chrome and Safari.
• Watchtower - flags reused, weak, or compromised passwords proactively.
• Family sharing done right - per-vault permissions, shared logins for streaming services, separate private vaults for each member.
• Secret Key + master password - you can't decrypt the vault with the master password alone, which makes server-side breaches far less catastrophic.

What you give up

It's a paid-only service. The free tier (a 14-day trial) ends and you're either a subscriber or you're not. There's no free 'lite' forever-tier. For most people the value is worth the £3-5/month; budget-conscious users can do better elsewhere.

1Password's Watchtower flags reused, weak and compromised passwords proactively, with one-tap remediation.

3. Best free / open source

Free tier vs paid (Bitwarden Premium)

Free includes:

• Unlimited password storage
• Sync across all devices
• Password sharing with one other user
• Basic 2FA support

Premium (£10/year) adds:

• Built-in TOTP code generation
• 1GB encrypted file attachments
• Advanced 2FA options (YubiKey, Duo, FIDO2)
• Vault health reports
• Emergency access for trusted contacts

What you give up vs 1Password

• The apps are functional but less polished.
• No equivalent of 1Password's Secret Key - the master password is the only line of defence (use a strong one).
• Family plans aren't quite as well thought out (shared vaults rather than per-user vaults with permissions).

Honourable mention: KeePass

If you want a fully local, open source solution with no cloud sync at all, KeePass (or KeePassXC, the modern fork) is the answer. You manage your own database file, sync it manually via Dropbox/iCloud/SyncThing. Powerful and private, but the UX is heavily DIY. Recommended only for technical users who specifically want to avoid the cloud.

4. Best privacy-focused option

Why it stands out

• Hide-my-email aliases - generate a unique random email per signup, all forwarding to your real inbox. Cuts spam dramatically and limits data brokers' ability to correlate identities.
• Email-on-disposable-domain protection - aliases live on your own Proton domain (paid tier) or passmail.net / aleeas.com / SimpleLogin domains.
• End-to-end encryption with metadata protection - even Proton can't see which sites you have logins for.
• Family plan bundles - Pass + Mail + VPN + Drive together cheaper than buying separately.
• Swiss jurisdiction - outside US/EU/UK data-sharing arrangements.

Limitations

Less mature than 1Password or Bitwarden in some edge cases - autofill on certain Android apps occasionally needs manual triggering, and the desktop app feels newer. Not a deal-breaker, but worth knowing if you have a complex setup.

5. Best for families and shared households

Family plans are where password managers earn their keep - one subscription, everyone in the household, plus shared logins for streaming services and family accounts.

Alternative: Bitwarden Families

Cheaper than 1Password Families and supports up to 6 users. Less polished (single shared 'Organisation' rather than 1Password's clean per-user vault model), but the price/feature ratio is excellent. Worth considering if you want the cheapest sensible family option.

Alternative: Proton Pass Family

Comes bundled with Proton Mail Family, Proton VPN Family, Proton Drive Family in the Visionary plan. If you're already considering multiple Proton services, the family bundle pricing is hard to beat.

6. Best for small businesses and freelancers

Alternative: Bitwarden Teams / Enterprise

Bitwarden's business tiers are dramatically cheaper than 1Password's, and the self-hosting option is unique in the category. If your small business has technical staff and wants to host the password manager on its own infrastructure (for compliance or sovereignty reasons), Bitwarden is the only mainstream choice.

Alternative: Dashlane Business

Dashlane has carved out a niche in the SMB space with a slightly more polished admin console than Bitwarden and integrated dark-web monitoring. The included VPN feature is nice but not a substitute for a dedicated VPN service.

What to set up on day one of any business deployment

• SSO integration with your identity provider
• Per-team vaults (not 'one big company vault')
• Mandatory 2FA for all users (TOTP minimum, FIDO2 if possible)
• Quarterly password health reports
• Offboarding process that immediately removes the user from all vaults

7. Why not just use iCloud or Google's built-in?

Apple's iCloud Keychain and Google Password Manager have got better in the last two years. They're not enough for most people. Two clear reasons.

Cross-platform reality

iCloud Keychain works perfectly on iPhone, iPad and Mac, and acceptably on Chrome on Windows. It does not work on Android. Google Password Manager is the inverse - excellent on Android and Chrome, limited on iOS, non-existent on Mac. Most UK households have a mix - iPhone owner with a Windows PC, Android owner with an iPad, kids on Chromebooks. A proper cross-platform password manager covers all of them.

Family sharing is harder

iCloud Keychain has 'Shared Password Groups' (introduced in iOS 17), which works for 2-5 family members on iCloud. Google's equivalent is limited. Neither offers the per-vault, per-permission flexibility of a real family plan.

What the built-in managers are good for

If your entire household lives in one ecosystem and you don't need shared vaults, iCloud Keychain or Google Password Manager are acceptable. They're free, they autofill, they sync. Use them if a dedicated password manager genuinely doesn't fit your life.

Migrating is painless in 2026

All major password managers offer one-click import from iCloud Keychain, Google Password Manager, Chrome, Safari, Firefox, LastPass and 1Password (between each other). The friction of migration is no longer a real barrier.

Built-in keychains work well within one ecosystem - cross-platform households really benefit from a dedicated password manager

8. Migrating safely from another manager

If you're switching - especially if you're leaving LastPass after the 2022 breach - there's a clean way to do it.

Export and import

• Export your existing vault to CSV (every major manager supports this).
• Import the CSV into your new manager.
• Verify a few critical logins work in the new manager.
• Don't immediately delete the old account - keep it for a week as a backup.
• After a week of confirmed working, delete the old account and securely shred the CSV.

Rotate weak and reused passwords during migration

Migration is the perfect time to rotate the worst passwords. The new manager will tell you which are reused or compromised. Spend 30 minutes changing the top 20 most important ones - banking, primary email, payment services, employer login. The rest can rotate as you naturally log in to each site.

Move TOTP codes carefully

Some authenticator apps make TOTP migration awkward. Google Authenticator has an export feature; Authy and Microsoft Authenticator do not. The cleanest approach: when you migrate to your new password manager, re-enrol each 2FA login one at a time (most banks let you remove and re-add a TOTP authenticator from your security settings). Tedious for the first hour, peace of mind forever after.

9. Setting up a password manager from scratch

If you've never used a password manager, the first 30 minutes matter more than the next year. A bad setup leaks passwords through weak master credentials or missing 2FA. Here's how to do it properly.

Step 1: Pick a strong master password

The master password is the only password you ever need to memorise, and it's the only thing standing between an attacker and every other password you have. Get it right.

• Length matters more than complexity. A 16-character password is meaningfully harder to crack than a 12-character one, even if the longer password has 'easier' characters.
• Use a passphrase - 4-6 random words like 'lemon-coffee-window-glacier-rabbit' is far easier to remember and cryptographically stronger than 'P@ssw0rd123!'.
• Don't reuse this password anywhere. Ever.
• Don't write it on a sticky note on your monitor. A safe place at home is fine; a public-facing visible spot is not.

Step 2: Enable 2FA on the manager itself

Almost every modern password manager supports two-factor authentication on the manager's own login. This is non-negotiable. Use an authenticator app (Aegis, Authy, Google Authenticator) or a hardware security key (YubiKey, NitroKey). SMS-based 2FA is acceptable but markedly weaker.

Step 3: Set up emergency access

1Password and Bitwarden Premium both let you nominate a trusted contact who can request access to your vault if you become unable to. The system has a waiting period (typically 7-30 days) so the trustee can't just take it; you can deny the request during the wait. For anyone with significant digital assets or a family that needs access in case of incapacitation, this is essential.

Step 4: Import existing passwords

Export from your current keychain (browser, iCloud, Google) as CSV, import into the new manager, then verify a few critical sites work before deleting the source export.

Step 5: Run the password health check

Every modern password manager has a 'Watchtower'-style feature that flags reused, weak or compromised passwords. Run it. Spend 30 minutes rotating the worst offenders - prioritise primary email, banking, payment services, employer systems, social media. The rest can rotate gradually as you log in.

Step 6: Install on every device

Phone, laptop, tablet, work computer if allowed. Browser extensions on every browser you use. Autofill needs to be enabled in iOS and Android settings (it's not on by default).

Step 7: Print the recovery codes

Most managers let you generate one-time recovery codes that can unlock your account if you lose access to 2FA. Print them, put them somewhere safe, never store them in the password manager itself (circular dependency).

A correctly set up password manager has master password + 2FA + emergency access + recovery codes - all done in the first 30 minutes

10. UK-specific service compatibility

Most password managers work everywhere. A handful of UK-specific services have quirks worth knowing about.

Banks and building societies

• Barclays, HSBC, NatWest, Lloyds, Santander, Halifax, RBS: Full autofill support in mobile apps and web. 2FA stored alongside passwords works smoothly.
• Monzo, Starling, Revolut: Excellent password manager support; biometric login on mobile reduces password use.
• Nationwide: Web autofill works; mobile app autofill is sometimes flaky and requires manual paste.
• Some smaller building societies (Yorkshire, Skipton): Variable support - check user reviews before trusting autofill on critical login flows.

HMRC, government services and the NHS

• HMRC personal tax account: Works well with autofill via Government Gateway. Consider storing your Government Gateway ID and password as a single login entry.
• NHS app: Login can be NHS login or Government Gateway depending on setup. Both work with password managers.
• DVLA, Passport Office, gov.uk verify: Standard autofill. Government services tend to use straightforward web forms that play nicely.

Streaming and entertainment

• BBC iPlayer, ITVX, Channel 4, My5: Standard email/password, all supported.
• Sky Go, Now TV: Some account-merging quirks but autofill works.
• Netflix, Disney+, Amazon Prime: Standard.
• Apple TV+, Apple Music: Apple ID, which Apple's own keychain handles best - your password manager can store it but the OS-level handoff is smoother.

Utilities and council services

British Gas, Octopus Energy, Thames Water, Severn Trent, council tax portals - all standard email/password setups, all autofill- friendly. Octopus Energy in particular has excellent password manager support and uses passkeys for new logins.

Where things get weird

• Some legacy work intranets: Custom Single Sign-On flows that don't match the autofill heuristics. You may need to manually paste.
• Older trade and professional bodies: RICS, CIArb, etc. sometimes use bespoke login flows that confuse browser extensions.
• Pension providers (Aviva, Legal & General): Multi-step login often needs autofill enabled per-step rather than as one flow.

Frequently asked questions