You juggle logins for online banking, IRD, RealMe, MyMSD, Trade Me, and a rotating cast of shopping and streaming sites. Reusing the same password is a gamble; writing them down is worse. A password manager fixes the mess by creating strong, unique passwords and remembering them for you—securely. This guide explains what a password manager is, how it works, the best types for Kiwis, pros and cons, and the steps to get started with confidence.
What is
A password manager is a secure app that generates, stores, and auto-fills unique passwords and passkeys for your accounts, protected by one strong master password or device-based login.
Think of it as an encrypted vault. You unlock it, and it fills your logins on websites and apps. Many also store secure notes, credit cards, and documents, and warn you about breaches. CERT NZ encourages using a password manager to keep unique passwords across accounts, which reduces the damage from any single site being compromised.
How it works
Encryption and zero-knowledge design
Your vault is encrypted on your device before anything syncs. Common standards include AES‑256 for encryption and PBKDF2 or Argon2 for key stretching. A good password manager uses a zero-knowledge model: the provider cannot see your data because they never receive the key that decrypts it.
The master password and 2FA
You create a strong master password or passphrase. From this, the app derives an encryption key locally. Add two-factor authentication (2FA) to your vault account for extra safety—ideally a hardware key or an authenticator app. Do not store the 2FA codes for your vault inside the same vault.
Sync, autofill, and generators
Cloud-based tools sync your encrypted vault across devices—phone, laptop, work PC—so you always have your logins. Browser extensions and mobile apps detect login forms and autofill them after you unlock. A password generator produces long, random passwords matched to each site’s rules, so you never reuse one.
Passkeys and the future
Passkeys replace passwords with cryptographic keys tied to your device and biometric or PIN unlock. Most modern password managers can save and sync passkeys alongside passwords, making logins to compatible sites faster and more phishing-resistant. Many NZ services are adding passkey support over time; check your bank, utilities, and favourite retailers as adoption grows.
Breach alerts and secure sharing
Many products check your accounts for known breaches and weak or reused passwords, often via trusted breach datasets. Secure sharing lets you grant family members or colleagues access to specific logins without revealing the underlying password, and you can revoke that access later.
Types / examples
Main categories
- Cloud-synced password manager: stores your encrypted vault in the cloud for easy cross-device access.
- Local/offline manager: keeps your database file on your device; you handle your own backup or sync (e.g., via cloud drives).
- Built-in platform manager: included with Apple, Google, or Microsoft ecosystems; convenient if you live inside one platform.
- Family and business plans: add shared vaults, role-based access, audit logs, and policy controls for organisations.
Popular options used in New Zealand
| Service | Type | Platforms | Free tier | 2FA support | Strengths | Considerations |
|---|---|---|---|---|---|---|
| 1Password | Cloud | Windows, macOS, Linux, iOS, Android, browsers | No personal free tier | Yes (TOTP, hardware keys) | Polished apps, Travel Mode, strong family/business features | Subscription only; closed source |
| Bitwarden | Cloud (self-host option) | All major platforms and browsers | Yes | Yes (TOTP, hardware keys on paid) | Open-source, affordable, flexible sharing | Interface less slick; some features paid |
| Dashlane | Cloud | Windows, macOS, iOS, Android, browsers | Limited | Yes | Strong autofill, dark web monitoring | Pricier plans; no Linux desktop app |
| NordPass | Cloud | Windows, macOS, Linux, iOS, Android, browsers | Yes | Yes | Simple setup, passkey support, item sharing | Most features behind subscription |
| KeePass (and variants) | Local/offline | Windows primary, community ports on macOS, Linux, mobile | Yes | Key file support | Free, highly configurable, no vendor cloud | Manual sync and setup; steeper learning curve |
| Enpass | Local-first (optional cloud via your drive) | Windows, macOS, Linux, iOS, Android | No | Yes | One-time licence option, your choice of cloud | Sharing less advanced than big cloud suites |
| Apple iCloud Keychain | Built-in | iOS, iPadOS, macOS, Windows (extension) | Yes (included) | Yes | Great on Apple devices, passkeys, 2FA code storage | Limited outside Apple ecosystem |
| Google Password Manager | Built-in | Android, Chrome, ChromeOS, iOS (Chrome) | Yes (included) | Yes | Seamless in Chrome/Android, passkeys | Sharing and auditing less full-featured |
Pricing is often billed in USD even when purchased from Aotearoa; your bank converts to NZD and may add fees. Some providers show NZD and include GST; check the checkout page.
Pros and cons
Benefits of using a password manager
- Unique, strong passwords for every account without memorising them.
- Time saved with autofill across browsers and apps.
- Breach alerts so you can change exposed passwords early.
- Secure notes and document storage (e.g., Wi‑Fi keys, passports).
- Controlled sharing with whānau or teammates.
- Passkey support for faster, phishing-resistant logins.
- Helps meet Privacy Act 2020 obligations to protect personal information in NZ organisations.
Potential downsides
- Single point of failure if your master password is weak or reused.
- Subscription cost for premium features.
- Learning curve if you’ve never used one.
- Vendor risk: incidents have occurred in the industry; choose transparent providers and enable 2FA.
- Autofill can be tricked by deceptive websites; always check the URL, especially on .nz domains.
- Recovery can be hard if you lose your master password and recovery methods.
How to use or choose
Step-by-step: set up a password manager
- Pick a reputable password manager that supports your devices and browsers.
- Create a long master passphrase. Aim for 4–6 random words you can recall. Do not reuse it.
- Write down your recovery info (e.g., emergency kit or recovery codes) and store it offline in a safe place at home.
- Enable 2FA on your vault account using an authenticator app or a hardware key.
- Install the mobile app and browser extensions on all devices you use.
- Import existing passwords from your browser if available, or start adding logins as you go.
- Update weak and reused passwords to strong, unique ones. Prioritise banking, email, RealMe, IRD, and key shopping sites.
- Turn on breach monitoring and security reports if your plan includes them.
- Enable passkeys for services that support them to reduce phishing risk.
- Set a reminder every few months to tidy old accounts and review security.
How to choose the right tool
- Security model: zero-knowledge encryption, modern key derivation (Argon2 or strong PBKDF2), independent audits, transparent security docs.
- 2FA and recovery: support for hardware keys; clear, secure recovery options that don’t expose your vault.
- Platforms: works on your phone and computers; reliable autofill for the sites you use in NZ (banks, utilities, government portals).
- Passkeys: robust passkey creation and sync across devices.
- Sharing and families: separate shared vaults with permissions if you need to share with a partner or team.
- Import/export: easy migration from browsers or other managers; encrypted export options.
- Support and transparency: responsive support, uptime status pages, clear incident reports.
- Data location: most consumer tools store encrypted data in global data centres. If your organisation needs NZ or regional residency, look at business plans or local/offline options.
- Cost: assess the free tier against your needs; check actual NZD totals at checkout.
Best practices for New Zealanders
- Use a unique master passphrase and never share it.
- Do not store your vault’s 2FA codes in the same password manager.
- Lock your devices with biometrics or strong PINs; turn on device encryption.
- Verify website addresses before autofilling, especially banking and .govt.nz sites.
- Back up your recovery details offline; consider a sealed envelope in a home safe.
- For work accounts, follow company policy and coordinate with IT for business-grade features.
- Report suspicious activity to your provider and to CERT NZ if you suspect a breach or phishing.
FAQ
Are password managers safe?
When built with strong, audited encryption and used with a unique master passphrase and 2FA, a password manager is far safer than reusing passwords or storing them in notes. Your vault stays encrypted end to end; the provider cannot read it under a zero-knowledge design.
What happens if I forget my master password?
Most providers cannot reset it because they do not know it. Use their recommended recovery method (emergency kit, recovery contact, or hardware key) set up in advance. Without recovery, you may lose access—by design.
Is a free password manager enough?
For many people, yes. Free tiers from reputable providers cover core features like sync and autofill. Paid plans add sharing controls, advanced 2FA, breach monitoring, and priority support. Choose based on your needs, not just price.
Should I use my browser’s built-in manager?
Built-in options like Apple iCloud Keychain and Google Password Manager are convenient and improving fast, including passkeys. Dedicated apps offer stronger auditing, sharing, and cross-platform control. If you live fully in one ecosystem, built-in may be fine; otherwise, a dedicated password manager is more flexible.
Where should I store 2FA codes?
Use a separate authenticator app or hardware security key. Storing 2FA codes in the same place as your passwords weakens the second factor. Many password managers can fill one-time codes, but avoid doing so for the vault itself and high-value accounts like banking and email.
Do password managers work with passkeys?
Yes. Most leading tools can create, store, and sync passkeys across devices, making logins quicker and more resistant to phishing and password theft.
Is my data stored in New Zealand?
Consumer services usually store encrypted data in regional or global clouds. Because the vault is encrypted client-side, the location is less sensitive, but some organisations require residency controls. Check business plans or consider local/offline managers if policy demands it.
What if a password manager is breached?
Incidents do happen in the industry. With zero-knowledge encryption and a strong master passphrase, stolen vault data should remain unreadable. Still, choose vendors with clear security disclosures, enable 2FA, and rotate critical passwords if your provider advises it.
Can I use one for government services like RealMe and IRD?
Yes. A password manager helps create strong, unique credentials for RealMe, IRD, and other .govt.nz portals. Always verify the domain before autofilling and keep 2FA codes separate.
Does this help my NZ business comply with the Privacy Act 2020?
It helps. Enforcing unique passwords, 2FA, and controlled sharing reduces risk and supports reasonable security safeguards under the Act. Pair it with staff training, phishing awareness, and prompt patching for a fuller approach.
Can I switch providers later?
Usually. Most tools export your vault to an encrypted file and import from common formats. Before switching, test the import on a few items, confirm attachments and secure notes migrate, and keep a secure backup until you’re confident.
A good password manager makes strong security easy, whether you’re paying bills from Wellington, filing tax returns in Auckland, or helping whānau tidy their logins in Dunedin. Pick one that fits your devices and habits, set it up properly, and let it take the hassle out of staying safe online.
