Why you need a password manager and how to set one up

TL;DR: A password manager is an app that generates, stores, and fills strong, unique passwords for every account you have, protected by one master password that only you know. It matters for Casa members because attackers rarely go after your vault directly. Instead, they target the accounts around it, especially your email and your Casa login. A password manager makes those accounts far harder to compromise. Setting one up takes about 30 minutes: choose a reputable password manager, create a strong master password, enable two-factor authentication (a second login step beyond your password), install the apps and browser extension, and update your most important passwords first.

Warning: Never store a seed phrase in a password manager!

What a password manager is

A password manager is a secure, encrypted app that does three things:

Generates strong passwords. It creates long, random passwords like kV9$mQ2!xPr7&nWz that are practically impossible to guess, so you never need to invent passwords yourself.

Stores them all in one encrypted vault. Every password is locked behind a single master password that only you know. The password manager company cannot read your stored passwords.

Fills them in for you. Browser extensions and mobile apps fill your login details automatically, which also protects you from fake lookalike websites, because the password manager will only fill credentials on the genuine site it saved them for.

Why this matters for your bitcoin security

Casa is non-custodial, meaning your bitcoin is secured by your own keys, and Casa cannot access your vault balance. Because no single key can move funds from a multisig vault, attackers usually do not attack the vault itself. They attack the accounts around it. The most common patterns are:

Email takeover. Your email account is the master key to your digital life. An attacker who controls your email can reset passwords on other accounts, intercept security notifications, and impersonate you. Reused or weak email passwords are the most common way this happens.

Credential stuffing. When any website you have ever used gets breached, attackers take the leaked email and password combinations and try them on hundreds of other sites automatically. If you reuse passwords, one unrelated breach can unlock your important accounts.

Phishing. Fake login pages that look identical to real ones trick people into typing their passwords. A password manager will refuse to autofill on an impostor site, which acts as a built-in warning.

A password manager addresses all three at once: every account gets a strong password, no password is ever reused, and autofill only works on genuine sites.

What never belongs in a password manager

Never store a seed phrase in a password manager. A seed phrase (the 12 or 24 word backup of a hardware device's private key) must never be typed into any computer, phone, or app, including a password manager. A seed phrase stored digitally can be stolen by malware or exposed in a breach, and anyone who has the words has the key. If you choose to record a seed phrase, keep it offline only, on paper or stamped in metal. For more on this, see What is a seed phrase?

The same applies to private keys, hardware device PINs paired with information about where the device is stored, and photographs of any of these.

How to set one up

Step 1: Choose a reputable password manager. Well-established options include 1Password, Bitwarden, and Dashlane. All three use strong encryption and have been independently audited. Avoid storing passwords in a spreadsheet, a notes app, or a document, as these are not encrypted in the same way.

Step 2: Create a strong master password. This is the one password you will still need to remember, so make it long rather than complicated. A passphrase of four or five random words, such as copper-violin-thunder-maple, is easy to remember and very hard to crack. Do not reuse a password from any other account.

Step 3: Enable two-factor authentication on the password manager itself. Two-factor authentication (often shortened to 2FA) requires a second step beyond your password to log in, such as a code from an authenticator app. This protects your password vault even if your master password is somehow exposed.

Step 4: Install it everywhere you log in. Add the browser extension on your computer and the app on your phone, and turn on autofill. The more convenient it is, the more consistently you will use it.

Step 5: Update your most important passwords first. You do not need to change every password in one sitting. Start with the accounts that matter most, in this order: your email account, your Casa account, any exchange accounts, and your bank. Let the password manager generate a new, unique password for each one.

Step 6: Save your password manager's recovery information safely. Most password managers provide a recovery kit or emergency key in case you forget your master password. Print it and store it somewhere secure such as a safe, the same way you would treat other sensitive paper records. Do not store it as a file on your computer.

Ongoing habits

Let it generate every new password. Whenever you create a new account, use the generator instead of inventing a password.

Pay attention to breach alerts. Most password managers will warn you if a password you use appears in a known data breach. When you see an alert, change that password promptly.

Be suspicious when autofill does not work. If your password manager refuses to fill your login on a page where it normally works, stop and check the web address carefully. You may be on a phishing site.

Need help?

If you have questions about securing the accounts connected to your Casa membership reach out to help@team.casa