The best way to store your passwords securely
A sticky note here, a reused password there, maybe even a photo of your Wi-Fi code somewhere in your camera roll. It works—until it doesn’t. Until your account gets hacked, your data leaks, or you spend an hour trying to remember which variation of “Fluffy123” you used.
Here’s how to store your passwords securely, once and for all.
How to store passwords securely: A comparison
People have used passwords for a very long time, and while they’re an effective security solution, they’re not perfect. The best method for managing passwords depends on your habits, tech comfort level, and the number of accounts you have.
In general, password managers are the best option in terms of convenience and security. That said, some people still rely on notebooks, browsers, or memory. Below, I’ll walk you through the pros and cons of each method.
Password manager applications
Password managers securely store and organize your login credentials in an encrypted vault, allowing you to use strong, unique passwords for every account without having to remember them all. You just need to remember one master password. Many also offer helpful extras like password generators, autofill, and alerts for weak or reused passwords.
For example, ExpressVPN Keys includes all the essentials, plus a few bonus features like secure storage for credit card details and private notes, as well as the ability to generate and store two-factor authentication (2FA) codes. It’s built into the ExpressVPN app, comes free with every subscription, and continues to work even if your VPN subscription ends.
Browser password managers
Most modern browsers, including Chrome, Firefox, and Safari, include built-in password-management features. While convenient, browser managers are generally less secure than dedicated password apps.
They often use weaker encryption, lack cross-platform syncing, and can generally only store passwords, credit cards, and addresses (rather than more complex web forms). Most also don’t require a master password, which is a huge vulnerability if someone has physical access to your device.
Physical storage using notes
Storing passwords on paper can work in very specific situations, especially if you only have a few accounts. However, it comes with real risks. Someone could steal or see the notebook, or it could be destroyed or thrown away by accident.
Even if nothing happens, you might lose track of which password is the most up-to-date if you’ve written down several versions. If you do choose this method, keep the notebook in a locked drawer or safe and don’t take it with you when traveling.
Memorizing passwords
Relying on memory is secure, but it's not practical for people with dozens (or hundreds) of accounts, which is the majority of people these days. The strongest passwords are long strings of random characters: hard to crack, but also hard to remember. You might be tempted to reuse passwords or make them simpler, which weakens your security drastically.
If you prefer to memorize your passwords, try using a passphrase—a combination of random but easy-to-remember words, like “planet-window-lemon-tide-jury-stool.”
Offline vs. online password storage
When it comes to storing passwords, there are offline and online options. Here’s a handy side-by-side guide to help you pick the right method.
| Offline storage | Online storage | |
| Examples | Paper notebook, encrypted USB drive, local-only password app | Cloud-based password managers (e.g., ExpressVPN Keys) |
| Accessibility | Limited to physical access or one device | Available across devices with sync |
| Security | No online threats, but at risk from theft/loss/damage | Encrypted, but varies across methods and products |
| Convenience | Manual entry, no autofill or syncing | Autofill, password generation, and updates in real time |
| Backup and recovery | No automatic backup; easy to lose | Cloud backup and account recovery options |
| Best for | Privacy-focused users with few accounts | Most users (provides strong security and convenience) |
Best practices for creating strong passwords and securing accounts
No matter how you store them, strong passwords are your first line of defense against malicious actors. Below, you’ll learn cybersecurity tips and tricks to help keep your credentials secure and manageable.
Use long, random, unique combinations
The strongest passwords are long and hard to guess. Aim for at least 12 characters and use a mix of uppercase and lowercase letters, numbers, and symbols. Avoid personal details like names or birthdays, and never use common passwords like “123456,” “password,” or “qwerty”—these are the first things hackers try. In fact, many attacks begin by testing the most popular passwords used in your country.
In terms of security, your best bet is to use a random combination of characters.
Try passphrases for better memorability
Passphrases are a great way to create strong passwords that you can actually remember. Instead of a complex string of characters, use a series of unrelated words like “river-banana-light-chair.” Passphrases are easier to recall but still difficult for attackers to guess, especially if you include symbols or numbers between words. 
Plus, passphrases are longer and more secure than simple passwords. If you’re not sure how to come up with one, take a look at our passphrase examples to get started.
Never reuse passwords across accounts
Reusing passwords is a major security risk. If one account is compromised, attackers often try the same password on other services—a tactic known as credential stuffing. And if your password was leaked in a data breach, and you’ve used it on other sites, those accounts could be compromised, too.
That’s why it’s essential to use a unique password for every account, especially for critical ones like email, banking, or work platforms. Don’t use the same passwords for both personal and work accounts, as a single incident could affect your entire organization.
If you’ve reused a password in the past, start by changing your password for important accounts, like your Google account, since these typically provide access to many web tools. To avoid this issue going forward, consider using a password manager. They’re super convenient, and options like ExpressVPN Keys will even alert you to issues like reused passwords.
Enable two-factor authentication (2FA)
Two-factor authentication adds an extra layer of security by requiring a second step to log in. Generally this involves entering a code, but it could also be tapping something in an app or plugging in a USB device. Even if someone steals your password, they won’t be able to access your account without that second factor. Turn on 2FA wherever it’s available, especially for high-value accounts.
Monitor for breaches
Use a service like ExpressVPN Keys to monitor for breaches involving your sensitive information, like passwords, email addresses, or credit card numbers. This enables you to take action quickly, like changing your password.
How to store business passwords as a team
Managing passwords across a team requires more than just sharing a spreadsheet. A secure, organized system helps prevent leaks and patches weak security practices.
Shared vaults for team access
Business password managers offer shared vaults, centralized, encrypted spaces where teams can store and access credentials. This eliminates the need to email passwords or track them in documents, making collaboration easier and safer.
Role-based permissions
When managing large teams, start by identifying who needs the highest level of access. Next, implement role-based permissions to control visibility, only giving team members access to what they actually need. For instance, your customer support team might need access to help desk tools but not internal HR platforms. This approach reduces risk and keeps sensitive information accessible only to the right people.
Admin oversight features
Look for a password manager that offers admin controls like activity logs, access requests, and forced password updates. These features provide insights into employees' security habits and alert admins to potential issues. They also help maintain accountability and enforce strong security practices across the team.
Common ways cybercriminals steal passwords
Hackers use a variety of tricks and tools to get your passwords. Some methods involve cracking weak passwords, while others try to fool you into giving them away.
Brute force attacks
A brute-force attack is a common method for stealing passwords. This involves malicious actors using a program to guess your password by trying a huge number of random character combinations.
A more advanced variant targets the hashed form of your password—the scrambled version stored by websites. If hackers gain access to hashed passwords, they can work to crack them on their own time.
To defend against this, many platforms ‘salt’ the hashed passwords that they store. This involves adding random data during encryption. This makes it harder to reverse the hash and reveal the actual password.
Regardless of the approach, short or simple passwords are easier to crack, so using long, complex ones is key to staying safe.
Password spraying
Password spraying is a method where cybercriminals try common passwords, like “password123” or “Welcome1,” on many accounts at once. Instead of guessing one person’s password over and over, they test one common password across a large number of users to avoid detection.
The best way to protect yourself from this attack is to not use common passwords.
Phishing techniques
Phishing is when a hacker tricks you into giving up your password, often through emails or text messages containing links. For instance, you might get an email that appears to be from your bank, asking you to log in. But the link actually takes you to a lookalike site designed to steal your credentials.
To defend against phishing, enable 2FA. If you enter your password but don’t receive a 2FA prompt, that’s a red flag. You can also use ExpressVPN’s Threat Manager feature, which can warn you if you're about to visit a known malicious website.
Credential stuffing
In a credential stuffing attack, cybercriminals use stolen usernames and passwords from one website on other sites. In other words, malicious actors can use your password history against you. If you reuse the same password across multiple accounts, this kind of attack can give cybercriminals access to everything—your email, social media, and even bank accounts.
Keyloggers
Keyloggers are a type of software that records every keystroke on an affected device. These attacks are somewhat harder to carry out, as the attacker needs to somehow install the keylogger onto your device. Keyloggers often spread through infected downloads, shady websites, and suspicious email attachments.
To protect yourself, use a password manager. With autofill enabled, you won’t actually have to enter passwords beyond your master password, so there’s nothing to log. In addition, use reputable antivirus software that can detect and block keyloggers before they compromise your information.
Local discovery methods
Local discovery refers to the ways that physical access to a device or space can lead to password theft. For example, most browser password managers make it easy for anyone with access to view saved passwords. This also covers someone finding an unencrypted document or a physical note containing your passwords.
To stay safe, always use screen locks and strong authentication on all devices, avoid storing passwords in unsecured locations (physical or digital), and regularly review who has access to shared devices.
Worst ways to store passwords
Some common password storage habits make it easier for cybercriminals to get in. Below you’ll find what to avoid if you want to maximize password security.
Storing passwords in plaintext files
Keeping a list of passwords in a text document is a terrible idea. Unencrypted files (think Notepad documents, spreadsheets, or screenshots) can be viewed by anyone, potentially even if they don’t have physical access to your device.
Additionally, if your device is lost or stolen, you’ll lose access to all your accounts. Even worse, whoever has your device can get into all of your accounts. Avoid keeping passwords in unencrypted files on your computer or phone.
Saving passwords in email or notes apps
Keeping passwords in your email inbox or notes apps might seem convenient, but it’s risky. Lacking encryption, email inboxes and many note-taking apps aren’t designed for secure password storage. What’s more, anyone with physical access to an unlocked device will be able to view all of your passwords.
If you’ve sent passwords to yourself over email, I recommend finding and permanently deleting these messages.
Writing down passwords without protection
Writing passwords on paper can be safe if done carefully, but simply jotting them down and leaving them on your desk is dangerous. Anyone who finds that paper can access your accounts. Always keep physical copies locked away and never carry them around unsecured.
FAQ: Common questions about password storage
Can I just remember all my passwords?
It’s possible, but not practical for most people. While you can try to memorize all your passwords, it becomes difficult as the number of accounts grows, especially when you use strong, unique passwords. Complex passwords are hard to remember, which often leads to reusing passwords or choosing weak ones.
Using a password manager helps you securely track all your passwords without relying solely on memory. Memorizing strong passphrases can work for a few important accounts, but for everything else, a trusted password manager like ExpressVPN’s Keys is safer and more convenient.
What is the safest way to store passwords offline?
The safest offline way is to use a physical medium, like an encrypted file stored in a USB drive. Storing passwords offline means keeping them completely disconnected from the internet, which reduces the risk of hacking. That said, there are some downsides.
For example, writing passwords in a notebook locked in a safe is a relatively secure offline storage option, but it’s not exactly portable. And if you do take it with you, you’ll sacrifice security.
Whether you use a USB stick or a piece of paper, there’s always a chance you’ll lose the object. And if you do use a USB device, you will have compatibility issues if all you have is your phone or a newer MacBook without USB ports.
Are browser password managers secure?
Browser password managers offer convenience but have some security limitations. Most modern browsers include built-in password managers that store your passwords and autofill them when needed. They use encryption to protect your data, but since they are tied to the browser and device, they can be vulnerable if your device is compromised or shared.
Unlike dedicated password managers, browser managers often lack advanced security features like cross-device syncing with strong encryption, security audits, and breach alerts. For everyday use, they provide basic protection, but for better security and management, especially across multiple devices, a dedicated password manager is usually a safer choice.
Which method is best for storing passwords?
Using a dedicated password manager is generally the best method. Strong password generators securely store all your unique passwords in an encrypted vault. They offer convenience with autofill and cross-device sync and often include extra security features like breach alerts and 2FA support.
Compared to writing passwords down or relying on memory, password managers reduce the risks of reuse and weak passwords. While offline methods can add security, dedicated password managers balance safety and ease of use for most people.
What is the best platform to store passwords?
ExpressVPN Keys offers a secure and convenient way to store passwords. It’s designed to keep your passwords safe using strong encryption, and it also simplifies the process of generating, storing, and accessing passwords across multiple devices. With a user-friendly interface and robust security features, ExpressVPN Keys is a dependable solution.
Where is the best place to store bank passwords?
Bank passwords should be stored in a secure, encrypted password manager. Because bank accounts hold sensitive financial information, it’s crucial to keep those passwords extra protected. A password manager encrypts your passwords and stores them safely so only you can access them.
Avoid saving bank passwords in plain text files, emails, or unsecured notes. For an additional layer of security, consider enabling 2FA on your bank accounts. This approach helps prevent unauthorized access while making it easy to manage your passwords safely.
How can I store passwords for multiple accounts safely?
Using a password manager is the safest and easiest way to handle multiple passwords. With ExpressVPN Keys, you can securely store all your unique passwords in one encrypted vault. It helps you generate strong passwords for each account, so you don’t have to reuse them. Compared to offline methods, it significantly reduces the risk of mix-ups and makes managing online security much simpler, especially when you’re juggling dozens of accounts.
Take the first step to protect yourself online. Try ExpressVPN risk-free.
Get ExpressVPN
Comments
Thank you. You've helped me make the decision.
Thank you for the tips on passwords. I’ve been using the same ones because I can’t remember them all.
This (for me) going too be complicated. Why not have a generator while generating a complicated password, to be able to automatically change a previous character that was already generated but not shown then continue from the original spot? I can see it but hard for me to explain, sorry.
My passwords are on a highly secured USB stick (you need 2 USB sticks))
My passwords are on an IronKey. if you guess the wrong password to access it ten times, it will kill the memory, and the key itself. Military grade protection. Look it up.
Bitwarden, one of the best free password managers out now! Great article!
ABSOLUTELY! I was about to add the same; I'm so glad to see someone else also use Bitwarden! It is the best...not only is it open source, but it is free. And if you want to upgrade it, it is only $10 PER YEAR! That is sick cheap compared to others!
what is someone hacks the password manager? no one tells us they have been hacked until after the fact.
These articles never mention Apple’s Key Chain. As tech gets more and more complex my observation is that the password managers are struggling to keep up. I have used 1Password for years. I would live to know if those of is in the Apple echo system are safe using the Key Chain system. S
For storing passwords I use an electronic gadget that is not connected in anyway to a computer or wi-fi or blutooth. It is totally offline, requires password to enter, it is the "RecZone Password Safe". Even keeping paper document in your home or office with passwords on it is unsafe as a burglar breaks in and finds them (they usually kept in proximity of your computer) with "RecZone Password Safe" this is not a problem this unit is not much bigger then a mans wallet and is easily portable