- A password manager is an encrypted vault. You remember one master password; it remembers the rest.
- Bitwarden, 1Password, Proton Pass, and Apple Keychain are the most common picks. Each has tradeoffs.
- Look for end to end encryption, a clear privacy policy, and clarity on where your vault is stored.
- Canadian users should check whether the provider stores data in Canada, in the United States, or in the EU.
The single best thing you can do for your online security is to start using a password manager. Not because it is fashionable, but because the alternative, remembering dozens of unique strong passwords, is something no human brain can do.
This guide explains what a password manager actually is, how it works, what to look for as a Canadian user, and which options are worth considering.
What a password manager actually is
A password manager is an encrypted vault. You enter all your logins once, the vault encrypts them with a master password only you know, and from then on the manager fills in passwords for you whenever you visit a site.
The math underneath is straightforward. Your master password is run through a key derivation function, which produces an encryption key. That key encrypts the vault. Without the master password, the vault is unreadable, even to the company that hosts it.
This is what people mean by zero knowledge or end to end encryption. It is also what makes a password manager safe even if the company itself gets hacked. Anyone who steals the encrypted file still cannot read what is inside.
Why you actually need one
The average internet user now has roughly 100 to 168 online accounts, depending on which study you read. No one remembers 168 unique strong passwords. So they do one of two things: reuse passwords across sites, or pick simple ones they can recall.
Both are dangerous. As we explain in how to create a strong password, reuse is the single biggest factor in account takeovers. A password manager removes the need to choose between security and sanity.
What to look for
The market has consolidated around a handful of credible options. The features that actually matter are:
End to end encryption
Your vault should be encrypted with your master password before it ever leaves your device. The provider should not be able to read it. Look for the phrase zero knowledge architecture in their security documentation. If it is not there, move on.
Where the data is stored
Most major password managers store your encrypted vault on cloud servers, which is what makes sync between devices possible. The location of those servers matters for Canadian users in two ways:
- Compliance. If you run a small business, storing customer credentials in a US datacentre may have implications under PIPEDA or Quebec's Law 25.
- Jurisdiction. Data in the United States is potentially subject to the CLOUD Act and US legal process, even if the customer is Canadian.
This is not a deal breaker for personal use, but it is worth knowing. Some providers, including 1Password and Bitwarden, let business customers pick their data region.
A clean breach record
LastPass had a serious breach in 2022, where attackers eventually obtained encrypted vault data along with the unencrypted URLs of saved sites. The vaults themselves remained encrypted, but the URL exposure was a real failure. Many users moved away as a result.
Check whether your candidate has had any incidents, how they handled disclosure, and what they changed afterward. The honest providers publish their security history publicly.
Open source code
Some managers, like Bitwarden and Proton Pass, publish their source code. Independent researchers can audit it for backdoors or weak crypto. This is not strictly necessary, but it is a strong signal of confidence.
The main options for Canadians
Bitwarden
Open source, free for personal use, modest pricing for premium and family plans. Hosts data in US datacentres by default, with EU region available for paid plans. Strong reputation. The free tier is fully functional, which is unusual.
1Password
Canadian by origin, headquartered in Toronto. Polished apps, smooth family sharing, excellent travel mode for crossing borders. Subscription only, no free tier. Hosts data on AWS regions you can choose, including Canada.
Proton Pass
Built by the team behind Proton Mail, based in Switzerland. Open source. Strong privacy positioning. Includes email aliasing, which lets you use a unique email address per site without managing them yourself.
Apple Passwords / iCloud Keychain
Built into every Apple device. If your entire household runs on iPhones and Macs, this is genuinely fine. End to end encrypted, free, deeply integrated. The downside: it does not work well outside the Apple world.
Google Password Manager
Built into Chrome and Android. Convenient if you live in Google's ecosystem. End to end encryption is available but not on by default. Worth turning on in settings.
What about browser saved passwords?
Saving passwords in your browser is better than reusing weak ones, but it is not a real password manager. Browser stores typically lack a separate master password, do not always encrypt at rest in the same robust way, and tie your security to the browser profile being signed in.
If you currently rely on the browser, treat that as a transition step. Export your saved logins, import them into a real manager, and then delete them from the browser.
Generate a long, random passphrase to use as your master password. Our generator runs entirely in your browser. We never see what it produces.
How to migrate without losing your mind
- Pick one manager. Sign up. Set a master password using a long passphrase you have written down.
- Install the apps and browser extensions on every device you use.
- Import any passwords saved in your browser. The manager will guide you through this.
- Over the next two weeks, every time you log into a site, let the manager save the credentials. Generate a fresh strong password for accounts that matter.
- Turn on two factor authentication for the manager itself. This is the one account where you cannot afford a compromise.
You do not have to fix everything in a weekend. Most people get a working setup in two weeks of normal browsing.
Risk versus reward
People sometimes ask: is it not risky to put all my passwords in one place? It is a fair question. The honest answer: yes, in theory. But in practice, the alternative is reusing passwords or writing them down in unencrypted notes, both of which are far worse.
The risk profile of a properly used password manager, with a strong master password and 2FA, is dramatically lower than the risk profile of trying to manage 168 accounts with your memory. Pick the lesser risk.