One password worth remembering: why every clinician should use a password manager

If you work across more than one hospital, you already know the drill. Each site has its own portal. Each portal has its own login. Somewhere between the rostering system, the pathology results, the email, the parking app and your personal accounts, you’ve ended up with the same two or three passwords doing the work of twenty.

It’s not carelessness. It’s a rational response to an impossible number of logins. But it’s also the single biggest weakness in most people’s online security, and it’s worth fixing. The good news: the fix is one habit, and it’s easier to set up than you’d expect.

Why this matters more in healthcare

The problem with reusing a password isn’t just that someone might guess it. It’s that a breach anywhere becomes a breach everywhere. If a shopping site you signed up for years ago leaks its user data — and these leaks happen constantly — whoever gets that list will try the same email-and-password combination against everything else: your email, your banking, and yes, the clinical systems you log into at work. One weak link unlocks the whole chain.

That matters for anyone, but it carries more weight in our world. The systems clinicians touch hold rosters, contact details, and information that sits close to patient care — exactly the kind of data covered by the Privacy Act and the Australian Privacy Principles. Health is consistently among the most-affected sectors in Australia’s notifiable data breach reporting, and compromised or stolen credentials are one of the most common ways in. Shared logins and reused passwords are the soft underbelly of an otherwise well-secured environment.

The whole idea in one sentence

A password manager lets you have a long, completely unique password for every account — without having to remember any of them. You remember one master password. The manager remembers everything else, encrypted, and fills it in for you when you need it.

That’s the trade. You stop being your own (overloaded) memory bank, and in return every account gets a password that would take a computer centuries to crack instead of seconds.

Getting started (about half an hour, once)

1. Pick a manager. The best one is the one you’ll actually use. Reputable options include Bitwarden, which has a genuinely capable free tier (a paid upgrade runs around $30/year as of 2026), and 1Password, a polished paid option at around $70/year. The password manager already built into your phone or browser — Apple Passwords or Google Password Manager — is also a reasonable free starting point, though it travels less easily between devices.
2. Create your master password. This is the one password you’ll keep in your head, so make it long (16+ characters), and make it one you’ve never used anywhere else. A short phrase of a few random words, plus a number and a symbol, is both strong and memorable. Write it down once and keep that note somewhere genuinely safe — not your wallet, not your desk drawer at work.
3. Turn on two-factor authentication for the manager itself. Use an authenticator app rather than SMS where you can. This is the lock on the vault that holds all your other locks, so it’s worth the extra step.
4. Install the browser extension and the mobile app, switch on fingerprint or face unlock on your phone, and enable autofill. Most managers walk you through this.
5. Then do nothing. Just use the web as normal. Each time you log in to something, the manager offers to save it. Within a couple of weeks of ordinary use, it has quietly captured most of your accounts. There’s no need to sit down and enter everything at once.

Fixing the weak ones, gradually

Once it’s running, your manager will flag the passwords that are reused, too short, or known to have leaked. Don’t try to fix them all in an afternoon — change one or two a week. Start with the flagged ones, then your most important accounts: email first (it’s the master key to password resets for everything else), then banking, then work and the rest. Each time, let the manager generate a new long password and save it for you.

A couple of habits worth adding

Once you’re comfortable, two small upgrades pay off. Turn on two-factor authentication for your important individual accounts as you go — your manager can store passkeys too, which are gradually replacing passwords altogether. And take a minute to learn your manager’s lock settings, so your vault stays protected if your phone is ever lost or taken.

Where this advice comes from

If you’d like a more thorough walkthrough, this post draws on an excellent piece by security journalist Max Eddy for The New York Times‘ Wirecutter, “I’m a Security Expert. I Don’t Know Any of My Passwords.” Eddy has covered passwords, VPNs and security keys for over a decade, and his guide goes deeper on choosing and configuring a manager than we have room for here.

The short version, though, is simple. You manage rosters, patients and a dozen competing demands every shift. You don’t need to manage 800 passwords in your head too. Pick a manager this week, and let it carry that load instead.