How to Choose a Password Manager and Clean Up Old Passwords
A password manager turns the impossible task of unique passwords into a one-time setup. Here is how to pick one and methodically clean up reused, weak, and breached logins.

Table of contents
Most people know they should not reuse passwords, and most people do it anyway, because remembering dozens of unique ones is impossible. A password manager solves that by remembering them for you. Pick one, let it generate strong passwords, and the hardest security habit becomes the easiest. This guide explains how to choose a manager and, just as importantly, how to clean up the messy pile of reused and weak passwords you already have.
Why this is the highest-value security task
The UK's National Cyber Security Centre (NCSC) explains the core problem clearly: "if you use the same password across different accounts and one of your accounts is compromised, a hacker can try the same password on your other accounts." This is called credential stuffing, and it is how a single old breach turns into a chain of broken accounts.
A password manager breaks that chain. It creates a different strong password for every site, so a leak from one service cannot unlock the others. The NCSC also highlights a quieter benefit: a good manager's autofill "fills passwords only on legitimate websites," which means it simply refuses to enter your credentials on a phishing lookalike. That alone stops a whole category of attacks.
How to choose one
There is no single "best" manager. The NCSC's advice is refreshingly practical: "the best password manager to choose is the one that best meets your needs, and which you find easiest to use." Use these criteria to decide.
| Consideration | What to look for |
|---|---|
| Where you use it | Cross-platform support if you mix phones, laptops, and browsers |
| Type | Built-in browser managers are easiest on personal devices; standalone managers sync better across mixed systems |
| Cost | Capable free tiers exist; paid plans add sharing and breach monitoring |
| Breach alerts | Warns you when a saved login appears in a known leak |
| Recovery | Clear, secure way to regain access if you forget the primary password |
One non-negotiable rule from the NCSC: turn on two-step verification for the manager itself, so that "even if a cyber criminal knows the primary password, they still won't be able to access your account."
The cleanup plan: from reused to unique
Do not try to fix everything in one evening. Work in priority order and let the manager do the heavy lifting.
- Install the manager and set a strong, memorable primary password you have never used elsewhere. Enable two-step verification on it.
- Import or save your logins as you sign in to sites over the next week or two.
- Fix the crown jewels first. Change passwords on email, banking, and any account tied to money, using the manager to generate a long random one each time.
- Use the built-in audit. Most managers flag reused, weak, or breached passwords. Work down that list.
- Add MFA as you go. While you are changing a password, turn on multi-factor authentication for that account too. Together they are far stronger than either alone.
A note on browser-based managers
Saving passwords in Chrome, Edge, or Safari is genuinely better than reusing them, and the NCSC calls it "the easiest way to remember your passwords" on personal devices. The main caveat: avoid saving passwords on shared or public computers, and never let a public machine keep you signed in.
Bottom line
A password manager turns the impossible task of unique passwords into a one-time setup. Choose the one you will actually use, protect it with two-step verification, then clean up methodically: email and money accounts first, then everything the audit flags, adding MFA along the way. It is the single highest-value hour you can spend on your security.
Sources and further reading
Sources
- NCSC: Password managers — how they help you stay secure online ncsc.gov.uk


