I\u2019ve written about what I consider the best current password advice for websites and services you need to keep secure. In a nutshell, here\u2019s the advice again:Use multi-factor authentication (MFA).Where MFA is not an option, use password managers, creating unique, long-as-possible, random passwords for each website or security domain.Where password managers aren\u2019t possible, use long, simple passphrases.In all cases, don\u2019t use common passwords (e.g., \u201cpassword\u201d or \u201cqwerty\u201d) and never reuse any password between different sites.This advice might appear to go against my simultaneous support of NIST Special Publication 800-63\u00a0 Digital Identity Guides. NIST SP 800-63 recommends using non-password methods where possible, and although the recommendations are definitely against forcing users to use very long and complex passwords, they don\u2019t limit password length or complexity.When people are forced to create and use long, complex, and frequently changing passwords, they do a poor job at it. They reuse the same passwords among different websites or use only slightly different passwords, which create an easy-to-decipher pattern.If those same humans use MFA or other non-memorization authentication methods, then the overall risk of repeated passwords and patterns can be broken. If a person can use a password manager, which creates and uses long and complex passwords that the person doesn\u2019t have to remember, then perhaps you can get the best of both worlds.Why I moved to a password managerI\u2019ve been testing and recommending password managers for many years. Early on I was rightly suspicious of their quality and the security of their code and operations. Early versions often ended up in the press because of successful exploits and compromises. These days, most of the popular choices are feature-rich and secure enough that I feel good about using them.Until recently, I had never completely depended on them, throwing all my memorized passwords away. I felt bad about recommending them without \u201cliving\u201d with them. So, I decided to solely use a password manager as much as I could for all password security logons, where it would work. I\u2019m not going to reveal what password manager I\u2019m using because I haven\u2019t tested them all and I don\u2019t want to give an unknowledgeable review.One of the key threats that led me to deciding to go to a password manager full-time is the sheer number of websites and services that get compromised. Visit any of the \u201chaveIbeenpwnd\u201d-type websites and you\u2019ll probably be amazed to see which of your logons and passwords have ended up on the internet. If you, like me, use a common password root that has a discernable pattern, you probably want to change all your passwords. Don\u2019t be like the average person who uses just seven different passwords across all websites they authenticate to.The pros of my password manager experienceI downloaded and bought a commercial password manager. I then spent several days changing my existing passwords on hundreds of websites, letting the password manager take over creating and using passwords. I downloaded the password manager for each device I wanted to include, including the related additional add-ons for the two most popular browsers I use. After a few months of use, here are my pros of using a password manager:Works as advertised: First and foremost, password managers allow you create, record and reuse passwords among different websites. It worked as advertised in most cases. I cover the edge cases where it did not work below.Easy to create and use long, random, complex passwords: However, about 10 percent to 15 percent of my websites would either not allow a long password (some stopped at 10-characters) or I couldn\u2019t use symbols. This means quickly adjusting the auto-generated random passwords to meet a particular website\u2019s password policy. The password manager I used made changing the policies used to generate a new random password very easy.Password manager can auto-logon: The password manager can auto-fill in passwords and it\u2019s easy to call up the password manager to fill in the password on an ad-hoc basis. When using a password manager, tell your browser not to remember any password. This takes away a potential attacker password vault target. Within a week or two I was calling up my password manager to quickly fill in logons without even thinking about it.Securely stores password recovery questions: I loved that I could record my recovery question answers in my password manager. I recommend never giving accurate answers to recovery questions, but instead treat them just like additional password fields. You can record recovery question answers, but my password manager didn\u2019t automatically fill them back in when they were needed.Securely stores more than passwords: I saved my credit cards, membership cards, notes and other important information to the password manager--one place to store all secrets.Works across multiple devices: I love that I could easily share my password manager and all the secrets it stored among multiple devices, and it worked well across all devices. If I updated a password, within a few seconds that update was already saved and stored on the other devices.Can share with family members: I\u2019m growing older. My wife is worried about me unexpectedly dying and leaving her without the appropriate access to my critical financial accounts. I installed another instance of the password manager on her computer, told her the master password, and showed her how easy it is to logon to any website I have. Not only does it store the passwords, but simply seeing a list of all my websites, gave my wife a feeling of relief. If something happens to me, she can logon and visit each website to see if there is something crucial to know and do. If you\u2019d rather your spouse not see all your websites and logons, you can choose which logons to share or give another trusted (legal) third party your password manager information to be shared with your spouse in the advent of your untimely demise. This may sound depressing, but it actually gave me and my wife more peace of mind.The cons of my password manager experienceAs much as I liked using the password manager, it has cons. Here are the top ones I noticed:It might not support all your devices and browsers: You have to install the password manager on all devices you will be using. My password manager had versions for all the devices and browsers I use. Most password managers only support two or three browsers, usually Google Chrome, Microsoft Edge and Microsoft Explorer. If you like another browser, you may want to see if a particular password manager supports it, or you may have to fall back to another browser you like less.Most work only with web-based browser logons: Most password managers only work with web sites. They won\u2019t log you onto your computer, device, or corporate network.A single point of failure: If you lose your master password or other identifying information, you could lose access to all your passwords all at once.It didn\u2019t work with all websites: My password manager did not work with some websites. The problem was usually that the password manager didn\u2019t automatically recognize that I was logging onto a new website, and I had to call it manually. Sometimes it would not auto-fill a website. Other times even the copying passwords from the password manager to the logon fields would not work. When that happened, I had to type in long and complex passwords manually. It was a painful, I rarely had to do it.Unauthorized changes: For unknown reasons, when I installed my password manager on my smartphone, the installation disabled my smartphone\u2019s storage encryption and boot-up PIN. When I realized that it was disabled and re-enabled it, my password manager indicated that it would not be able to log onto my phone for me. I\u2019m fine with that. I\u2019m not fine with the software disabling my boot-up encryption software setting, especially without clearly communicating that it was doing so.Unexplainable crashes: There were a few unexplainable crashes where the password manager just quit. I could easily restart it in a few seconds, but there are apparently still bugs to be worked out. I have read of cases where the password manager program got so corrupted from a crash that it became unusable, meaning the users might be out of luck for all those long and complex passwords they just created. I didn\u2019t experience that, and most password managers will let you make an encrypted backup of your data so that if the program manager crashes that badly you can recover after a re-install. My guess is that these sorts of big programming corruptions will lessen over time.Trusting single sign-on:\u00a0The single biggest con is the risk of any single sign-on (SSO) method, where a hacker can compromise the mechanism that contains all your passwords. This is a very real risk. I don\u2019t get regularly compromised (once in over 30 years), but if your computer is regularly compromised by hackers or malware, you probably shouldn\u2019t use an SSO method. If the local password manager password vault is stolen, without the attacker also getting the master password, the password database would be worthless. I\u2019m assuming if they can get the password vault, they can record your master password as well. If a hacker gets onto your computer and can access your password manager, they are going to get the passwords they want to get anyway (although the password manager or any other compromised SSO method might make it easier).Overall, I\u2019m very happy using a password manager, small warts and all. It works as advertised and I feel more secure for having made the switch. I no longer have easily crackable passwords or passwords that fit a particular pattern.\u00a0 My biggest fear is that if everyone started to use password managers, it is likely that more hackers and malware would target them more frequently and aggressively and make the SSO-risks appear more often.