It’s 2026. We’ve had widespread data breaches, credential stuffing attacks, phishing campaigns, and ransomware incidents making headlines for years. Cybersecurity awareness has never been higher. And yet, the single most effective thing most people could do to protect their online security — use a password manager — still has shockingly low adoption rates.

Surveys consistently show that only about 30-35% of internet users actively use a password manager. That means roughly two-thirds of people are still reusing passwords, writing them on sticky notes, storing them in a notes app on their phone, or using some variation of “Password123!” with minor modifications across dozens of accounts.

I’ve got opinions about this, and I think it’s worth spelling out why password managers deserve more attention than they get.

The Problem They Solve Is Massive

The average person has somewhere between 80 and 120 online accounts. Think about it — email, banking, social media, streaming services, online shopping, government services, utilities, insurance, work platforms, forum accounts, app subscriptions. The number adds up fast.

Remembering unique, strong passwords for 100+ accounts is genuinely impossible for a human brain. So people don’t try. They reuse the same password across multiple sites, or they use simple, memorable passwords that are easy to guess.

This creates a specific vulnerability: credential stuffing. When a data breach exposes your email and password from one site, attackers automatically try that combination on thousands of other sites. If you’ve reused that password, they’re in. It’s automated, it’s fast, and it’s incredibly effective.

A password manager eliminates this problem entirely. It generates a unique, complex password for every account, stores them securely, and fills them in automatically. You remember one master password. The manager handles everything else.

Why People Don’t Use Them

I think there are three main reasons, and none of them are good enough.

“It’s too complicated.” This was a fair complaint in 2015. It’s not in 2026. Modern password managers like Bitwarden, 1Password, and even the built-in options in Apple Keychain and Google Password Manager are straightforward to set up. The initial migration — going through your accounts and updating passwords — takes a few hours, but after that, the daily experience is easier, not harder. The password manager fills in credentials for you. You do less work, not more.

“What if the password manager gets hacked?” This is the most common objection, and it’s the one that sounds most reasonable. But it misunderstands how password managers work. Reputable password managers use zero-knowledge encryption. Your passwords are encrypted on your device before they ever reach the company’s servers. Even if the company’s servers are breached, the attackers get encrypted data that they can’t read without your master password.

Is it theoretically possible that a password manager’s encryption could be broken? Sure. But the practical risk of using a password manager is vastly lower than the risk of reusing passwords across sites. You’re comparing an unlikely theoretical attack against a guaranteed practical vulnerability.

“I’ve gotten by without one.” Survivorship bias. You’ve gotten by so far. But every year, the number of data breaches increases. Every year, the automated tools attackers use get more sophisticated. The odds of one of your reused passwords being compromised increase with time, not decrease.

What to Look For

If you’re going to set up a password manager — and you should — here’s what matters.

Cross-platform support. You need it on your phone, your computer, and your browser. If it only works on one platform, you’ll stop using it within a week. All the major options (1Password, Bitwarden, Dashlane, the built-in Apple/Google options) handle this well.

Auto-fill that actually works. The password manager needs to recognise login forms reliably and fill in credentials without friction. Test this before committing to a paid plan. Some managers handle unusual login forms (multi-step logins, pop-up windows) better than others.

Secure sharing. If you share accounts with family members or colleagues, you need a way to share passwords securely. Texting someone a password is terrible practice. Good password managers have built-in sharing features.

Emergency access. What happens if you’re incapacitated or pass away? Someone needs to be able to access your accounts. Most password managers have emergency access features that allow a trusted contact to request access after a waiting period.

The Free vs Paid Question

Bitwarden offers a free tier that’s genuinely excellent. It covers unlimited passwords, cross-platform sync, and a secure password generator. For most individuals, the free version is sufficient.

Apple Keychain and Google Password Manager are free and built into their respective ecosystems. They work well if you live entirely within one ecosystem but get awkward if you use both Apple and Windows/Android devices.

Paid options like 1Password ($3-5/month) add features like family sharing, travel mode (temporarily removes sensitive vaults when crossing borders), and more sophisticated organisation tools. Whether that’s worth paying for depends on your needs.

Just Do It

I realise this article isn’t telling you anything particularly novel. Password managers have been recommended by security professionals for over a decade. But the fact that adoption is still hovering around 30% means the message hasn’t landed.

If you’re reading this and you don’t use a password manager, here’s my challenge: spend one evening this week setting one up. Start with your most important accounts — email, banking, anything financial. Update those passwords to strong, unique ones generated by the manager. Then gradually add the rest of your accounts over the following weeks.

It’s the single highest-impact security improvement you can make, and once it’s set up, it makes your daily life easier, not harder. The excuses for not using one have expired. The risks of not using one haven’t.