Your Password Manager: The Master Key
A password manager stores all your other passwords. This makes it the single most valuable credential in your digital life — and potentially the highest-risk target if compromised.
The same password security practices that apply to all accounts apply especially to your password manager, amplified by the consequences of compromise.
Master Password: The Foundation
Your master password is the only password you need to memorize. All the complexity you would normally apply to individual passwords now applies to this one. It must be:
Long: At least 16 characters. Length is the most important factor for brute-force resistance.
Truly random: A random word sequence (passphrase) is both memorable and strong. Five or more random words — not a sentence you would think of, but genuinely random words — provides excellent security while being memorable.
Example approach: Roll dice and use a wordlist (EFF dice-ware wordlist), or use a passphrase generator. The result might be: correct-staple-banana-freight-hollow. Nonsensical is good.
Never reused: The master password should be used for nothing else, ever.
Not digitally stored: Store it in your memory and optionally in a physical secure location (written on paper, stored with important documents). Not in a file on your computer, not in a note on your phone.
Two-Factor Authentication: The Second Lock
Enable 2FA on your password manager account. Even if someone learns your master password, they cannot access the vault without the second factor.
Options in order of strength
1. Hardware security key (FIDO2/WebAuthn) — the strongest option 2. Authenticator app (TOTP) — strong and practical 3. Email-based 2FA — avoid for password managers specifically, since your email may also be in the vault
Save emergency access codes provided by your password manager in a physically secure location separate from your master password. These codes allow access recovery if your 2FA device is lost.
Securing Your Devices
Your password manager vault is only as secure as the devices you access it from:
Device lock: All devices with password manager access must have strong authentication (PIN, biometric, or password). An unlocked device with password manager access is as dangerous as a known master password.
Trusted devices only: Do not access your password manager from shared or public computers. If you must, use the web interface in private browsing mode and sign out completely afterward.
Device audit: Your password manager's security settings show which devices have accessed your account. Periodically review and remove access for devices you no longer use.
Regular Security Practices
Vault health review: Use your password manager's health features (Bitwarden Watchtower, 1Password Watchtower, LastPass Security Challenge) to identify weak, reused, or breached passwords. Act on these findings.
Breach monitoring: Enable notifications for when stored credentials appear in data breaches. Change the affected passwords immediately upon notification.
Periodic audit: Annually review stored credentials. Delete entries for services you no longer use. This reduces your exposure if the vault were ever compromised.
Temp90 Integration with Password Manager
When you use Temp90 for a service registration, record both the service name and the Temp90 address used in the password manager's notes field alongside the password. This creates a complete record of which email was used for which service — useful when you later want to update to a permanent email or identify which services need attention after a breach.
Recovery Plan
What happens if you lose access to your master password and your 2FA device simultaneously?
Set up emergency access: Bitwarden and 1Password both offer emergency access features that allow a trusted person to request access to your vault after a waiting period.
Physical backup: A sealed envelope containing your master password, stored with a trusted family member or in a safety deposit box, provides a last-resort recovery option.
Know your options in advance: Panic is not a good time to learn your recovery options. Set up emergency access and document your recovery plan before you need it.
Frequently Asked Questions
What happens if my password manager company is hacked?
Zero-knowledge password managers (Bitwarden, 1Password) store only encrypted vault data. A breach at the company exposes encrypted data that is computationally impractical to break without your master password. The most significant post-breach risk is phishing attacks using the breach as a pretext. Do not click links in any email claiming to be about the breach — go directly to the company's website.
Should I use my browser's built-in password manager or a dedicated one?
Dedicated password managers (Bitwarden, 1Password) are more secure, more capable, and work across all browsers and devices. Browser password managers are acceptable for low-stakes passwords but lack the security features, cross-device sync capability, and breach monitoring of dedicated tools.
Should I store my email account password in my password manager?
Yes, with a critical consideration: your email account is typically the recovery mechanism for other accounts. Ensure your email password is strong and that you have 2FA enabled on your email account — and that the 2FA method does not rely on the email account itself.
Conclusion
Securing your password manager is the highest-leverage security action you can take. The master password strength, 2FA setup, trusted-device-only access, and recovery planning described here protect the single account that protects all others. A properly secured password manager is significantly more secure than any realistic alternative for managing the dozens to hundreds of passwords modern digital life requires.