Are password managers more secure than a slightly different password for each website?

Yes, decent password managers are more secure than using any password pattern.

  • You have a password manager, and it has created you random passwords:

    1. 6AKQ3)mcV!xX3b8-ZgncCe%tdn!&[email protected]
    2. a6/4TFaWKrzTHQyT2Df#;/*+QA$zH2tJ
    3. 9y__&%7jP4UcuG(9f7X6z44C#64bF:m&
    4. 9W649r788_8AU=9272zuGH"=C?2&C66j
    5. nT29HMc$y'H)ww2#D/2x(2sBU#WG23us
  • Versus you have a pattern for your passwords:

    1. correctbatteryhorsestaplegithub
    2. correctbatteryhorsestaplestackexchange
    3. correctbatteryhorsestaplegooogle
    4. correctbatteryhorsestaplesomesite
    5. correctbatteryhorsestapleapple

The site #4 has a bad practice of saving passwords in plain text, and their password database leaks. Now, from the latter it's possible to assume that this is a password pattern you use and deduce you might have correctbatteryhorsestaplegithub as your password for GitHub etc., but from the random password it's impossible to deduce the other random passwords, as they are completely unrelated.

On the other hand, if your computer gets infected and someone steals both your password manager database and the password (e.g. using a keylogger), they have keys to the kingdom. That's a completely different risk model and requires access to the operating system the password manager is installed on. Against this you need other measures like multi-factor authentication.


Microsoft have done some interesting research into the idea you mention of having a weak password for sites that you don't care about, and conclude that it is a valid strategy.

However, I'd argue that one advantage of a password manager is that you do not have to expend any mental effort working out which sites you don't care about, and more importantly you can't make a mis-classification. If you're using a password manager, its the same number of clicks to have it paste in "password" as "District solid complete warlord cheese".

(By the way, I've found that it is better to use five random words than 30 random characters when generating passwords with my password manager. Sooner or later you will get into a situation where you have to type it into a computer that doesn't have the password manager agent installed.)


Using a formulaic password generation method rather than random ones in a password manager changes your threat model.

With a password manager the main threat is that your master password will be discovered. For most people, working with a limited number of trusted devices, this is a low likelihood. However, if you are regularly required to login to a range of services from many different, potentially untrusted devices, (e.g. travelling and using internet cafes or as a field engineer) then you threat model can change significantly.

With a formulaic password generation mechanism your threat is that the formula is exposed. For a non-trivial formula, that's likely to require human intervention and/or multiple plaintext passwords being available. It is inherently weaker since the passwords can be cracked, but you're vulnerable to a different type of threat, which is likely a more targeted attack.