I'm going to be blunt: if you're still using Chrome's built-in password manager as your primary way to store credentials, you're making a mistake. Not a catastrophic, hair-on-fire mistake—Chrome's password manager isn't terrible. But it's like keeping all your valuables in a shoebox under your bed instead of a proper safe. It works until it doesn't.
I made this switch about three years ago, and the only thing I regret is not doing it sooner. The migration itself took me about 45 minutes from start to finish, and that included setting up 2FA and installing the mobile app. If you've been putting this off because it sounds complicated, I promise you it's not.
This guide walks through every single step. No hand-waving, no "just figure it out" moments. By the end, you'll have all your passwords in Bitwarden, two-factor authentication protecting them, and Chrome's password manager turned off for good.
1 Why Chrome's Password Manager Isn't Good Enough
Chrome's password manager does one thing well: it's convenient. You save a password, it fills it in next time. Zero friction. That convenience is exactly why most people use it—it was already there, and it just worked.
But here's what you're giving up by relying on it:
It's tied to Google's ecosystem. Your passwords live inside your Google account. If Google locks your account (which happens more often than you'd think—automated systems flag accounts for all kinds of reasons), you lose access to every single password. People have been locked out of their Google accounts for weeks over false-positive policy violations. Imagine not being able to log into your bank, your email, your work tools, all because Google's algorithm decided your account looked suspicious.
It only works in Chrome. If you're reading this site, you're probably considering switching to Firefox or Brave at some point (and you should—check out our complete DeGoogle guide for the full picture). Chrome's password manager doesn't come with you. Bitwarden works in every browser, on every operating system, on every phone.
Limited security features. Chrome can generate passwords and autofill them, sure. But it doesn't support TOTP codes (those 6-digit 2FA codes), it can't store secure notes, it can't share passwords securely with family members, and its password generator is basic compared to dedicated tools. You also can't easily audit your passwords—finding reused or weak passwords requires digging through Google's password checkup, which is clunky at best.
Google can read your passwords. This one gets debated a lot. Google says they encrypt your passwords, and technically they do—but the encryption keys are managed by Google. They have the theoretical ability to decrypt them. With Bitwarden, your vault is encrypted with your master password before it ever leaves your device. Bitwarden literally cannot read your passwords even if they wanted to. That's called zero-knowledge encryption, and it matters.
No offline access. If you're on a plane or somewhere without internet, Chrome's password manager won't help you look up a password you need. Bitwarden's desktop and mobile apps keep an encrypted local copy of your vault that works offline.
2 What Makes Bitwarden Different
I'm not going to pretend Bitwarden is the only good password manager. 1Password is excellent. KeePass is rock-solid if you're technical. But Bitwarden hits a sweet spot that nothing else quite matches, and here's why I recommend it to basically everyone:
It's open source. The entire codebase is on GitHub. Anyone can audit it, and multiple independent security firms have. This isn't "trust us, we're secure"—it's "here's our code, verify it yourself." The most recent third-party audit (by Cure53 in late 2025) found no critical vulnerabilities. That's not marketing; the full report is published publicly.
Zero-knowledge architecture. Your master password never leaves your device. Bitwarden's servers only ever see your encrypted vault. Even if their servers got hacked (which has never happened, but let's be realistic about threats), the attackers would get encrypted blobs that are computationally infeasible to crack with a strong master password.
The free tier is genuinely useful. Unlike most "free" tiers that are barely functional demos, Bitwarden's free plan gives you unlimited passwords, syncing across unlimited devices, a password generator, and basic 2FA (email-based). You can honestly use it forever without paying a cent and never feel limited for personal use.
Cross-platform without compromise. Windows, macOS, Linux, iOS, Android, every major browser. The experience is consistent across all of them. Your vault syncs instantly. Save a password on your phone, it's on your laptop in seconds.
Self-hosting option. If you're paranoid (and I mean that as a compliment), you can run your own Bitwarden server using Vaultwarden. Your passwords never touch anyone else's servers. Most people don't need this, but having the option is a massive trust signal.
3 Creating Your Bitwarden Account
Head to bitwarden.com and click "Get Started." You'll need an email address—ideally not your Gmail if you're going full privacy mode. If you've already set up ProtonMail following our ProtonMail migration guide, use that.
The critical step is choosing your master password. This is the single most important password you'll ever create, so let's get it right:
Master Password Rules
- Minimum 16 characters. Longer is better. 20+ is ideal.
- Use a passphrase. Something like
correct-horse-battery-staple-pianois far stronger thanP@ssw0rd!123and infinitely easier to remember. - Don't reuse it anywhere. This password exists for one purpose only.
- Write it down. Yes, really. Write it on paper and store it somewhere safe—a locked drawer, a home safe. If you forget this password, Bitwarden cannot recover it. That's the trade-off of zero-knowledge encryption.
- Never type it on someone else's computer. Your master password on a compromised machine means game over.
Once your account is created, Bitwarden will prompt you to set up your vault. Don't install anything yet—we need to get your existing passwords out of Chrome first.
4 Exporting Passwords from Chrome
This is the part people worry about most, but it takes about two minutes. Here's exactly what to do:
Step-by-Step Export
- Open Chrome and go to
chrome://password-manager/settings - Find "Export passwords" and click it
- Chrome will ask for your computer's login password (Windows PIN, macOS password, etc.) to verify it's you
- Save the file as a CSV. Choose your Desktop so you can find it easily
- The file will be called something like
Chrome Passwords.csv
Security warning: That CSV file contains every single one of your passwords in plain text. Anyone who gets this file has access to everything. Don't email it to yourself, don't upload it to Google Drive (the irony), don't leave it sitting on your Desktop after you're done. We'll delete it once the import is complete.
Before moving on, take a quick look at the CSV file. Open it in a spreadsheet app or even a text editor. You might be surprised how many entries there are—Chrome saves passwords for sites you visited once three years ago and never came back to. You don't have to clean this up now (Bitwarden makes it easy to organize later), but it's worth knowing what you're working with.
5 Importing into Bitwarden
Now the good part. Log into your Bitwarden account at vault.bitwarden.com in your browser.
Import Steps
- Click Tools in the top navigation
- Select Import Data
- For the import format, choose "Chrome (csv)" from the dropdown
- Click "Choose File" and select the CSV you just exported
- Hit Import Data
- Bitwarden will show you a summary of what was imported—check the count matches roughly what you expected
That's it. Your passwords are now in Bitwarden. Take a moment to scroll through your vault and spot-check a few entries—make sure the usernames and passwords transferred correctly. In my experience (and hundreds of reports from users), Chrome CSV imports are essentially flawless. I've never seen one lose data.
Now delete that CSV file. Not just move it to the trash—permanently delete it. On Windows, Shift+Delete. On Mac, empty the trash. If you're extra cautious, use a secure deletion tool, though for most people a standard delete is fine since the file was only on disk briefly.
While you're in the vault, take a look at the Reports section (available on the Premium plan, but there's a free trial). The "Reused Passwords" and "Weak Passwords" reports are eye-opening. Most people discover they have the same password on 15+ sites. This is the moment you start fixing that—Bitwarden's password generator makes it easy to rotate weak passwords one by one over the coming days.
6 Setting Up Two-Factor Authentication
Your Bitwarden vault is now a single point of failure for your entire digital life. If someone gets your master password, they get everything. This is why 2FA on your Bitwarden account is absolutely non-negotiable.
The free plan supports email-based 2FA, which is better than nothing. But I strongly recommend either an authenticator app (like Aegis on Android or Raivo on iOS) or—the gold standard—a hardware security key.
Option A: Authenticator App (Free)
- In Bitwarden web vault, go to Settings → Security → Two-step Login
- Click Manage next to "Authenticator App"
- Enter your master password when prompted
- Scan the QR code with your authenticator app
- Enter the 6-digit code to verify
- Save your recovery code somewhere safe—this is your lifeline if you lose your phone
Option B: Hardware Security Key (Best)
A YubiKey or similar FIDO2 security key is the most secure 2FA method available. It's phishing-proof—even if someone tricks you into entering your master password on a fake Bitwarden site, they can't get past the hardware key because it validates the actual domain.
The setup is similar: go to Two-step Login settings, choose FIDO2 WebAuthn, and follow the prompts to register your key. You'll need to touch the key when it blinks. Hardware key support requires the Premium plan ($10/year), but it's worth every penny for the security upgrade.
If you're also working through our DeGoogle guide, a YubiKey does double duty—you can use the same key for ProtonMail, Nextcloud, and basically any service that supports FIDO2.
YubiKey 5C NFC — Our Pick
Works with USB-C and NFC (tap on phone). Compatible with hundreds of services. Buy two—keep one as a backup in a safe location. Losing your only hardware key without a backup recovery method is a nightmare scenario.
YubiKey 5 NFC (USB-A) — Budget Option
If your laptop still has USB-A ports, this version is a bit cheaper and does everything the 5C does. Same security, just the older connector.
7 Browser Extension & Mobile Apps
The web vault is useful for management, but day-to-day you'll use the browser extension and mobile app. Let's set up both.
Browser Extension
Go to bitwarden.com/download and grab the extension for your browser. If you're still on Chrome, install it from the Chrome Web Store. If you've already switched to Firefox or Brave (good for you), it's available there too.
After installing, log in with your email and master password. The extension will show a small shield icon in your browser toolbar. When you visit a site that has saved credentials, click the icon and it'll show matching logins. Click one to autofill.
A few settings I recommend tweaking right away:
- Vault timeout: Set to "On Browser Restart" or "15 minutes" depending on your paranoia level. "Never" is convenient but defeats the purpose.
- Vault timeout action: "Lock" (not "Log out")—this way you just need your master password or biometrics to get back in, not your 2FA code every time.
- Default URI match detection: Leave on "Base domain" unless you have a specific reason to change it.
- Auto-fill on page load: I'd leave this off. It's a minor phishing risk—a malicious page could have hidden login forms that get auto-filled. Better to fill manually with one click.
Mobile App
Install Bitwarden from the App Store or Google Play (or F-Droid if you're running GrapheneOS). Log in, then enable biometric unlock—Face ID, fingerprint, whatever your phone supports. This is what makes mobile Bitwarden genuinely pleasant to use instead of tedious.
On Android, go to Settings → Passwords & accounts → Autofill service and set Bitwarden as your autofill provider. On iOS, go to Settings → Passwords → AutoFill Passwords and enable Bitwarden there. This lets Bitwarden fill passwords in any app, not just the browser.
If you're running a privacy-focused phone setup, check our best privacy phones guide for recommendations that work beautifully with Bitwarden.
8 Family Sharing & Organization
If you live with other people, the Family plan ($40/year for up to 6 users) is a no-brainer. Here's the setup I use and recommend:
Create a Family Organization in Bitwarden. This gives you shared collections—think of them as shared folders. I set up mine like this:
- Streaming: Netflix, Spotify, Disney+, etc.—passwords everyone in the household needs
- Household: WiFi password, smart home logins, utility accounts
- Emergency: Bank logins, insurance portals—shared only with your partner for emergency access
Each family member also keeps their own personal vault for passwords they don't share. The personal vault is completely separate from the organization—other family members can't see it, and even the organization admin can't access individual personal vaults.
One thing I've found genuinely useful: setting up the Emergency Access feature. You designate a trusted person who can request access to your vault if something happens to you. There's a configurable waiting period (I use 7 days)—if you don't actively deny the request within that window, they get access. It's morbid to think about, but it's responsible.
Pricing Breakdown: What You Actually Need
Unlimited passwords, 2 devices, email 2FA
Hardware key 2FA, TOTP codes, vault health reports, 1 GB file storage
6 users, shared collections, all Premium features for everyone
For comparison: 1Password charges $36/year for a single user and $60/year for families. Dashlane is $60/year for their premium plan. LastPass's free tier is so gutted it's borderline unusable. Bitwarden at $10/year for premium is, frankly, absurdly good value. And the free tier is genuinely usable—not a bait-and-switch.
My recommendation: start with Free to make sure you like Bitwarden, then upgrade to Premium once you're ready to set up hardware 2FA. The Premium upgrade pays for itself in peace of mind. If you have a partner or family, the Family plan at $6.67/person/year is the best deal in cybersecurity.
10 Disabling Chrome's Password Manager
This is the step people forget, and it leads to confusion. If you don't disable Chrome's built-in password manager, it'll keep popping up asking to save passwords alongside Bitwarden. Two password managers fighting for attention is annoying and defeats the purpose of switching.
How to Disable It
- Go to
chrome://password-manager/settings - Turn off "Offer to save passwords"
- Turn off "Auto Sign-in"
- Optional but recommended: go to
chrome://settings/addressesand turn off autofill for addresses and payment methods too (Bitwarden can handle those)
You don't need to delete your saved passwords from Chrome right away. Once you've confirmed everything imported correctly into Bitwarden and you've been using it successfully for a week or two, come back and clear them out. Go to chrome://password-manager/passwords and you can delete them all.
And honestly? If you're on a privacy journey, this is a great time to consider ditching Chrome entirely. Firefox with the Bitwarden extension is a fantastic combo. Our DeGoogle guide covers the browser switch in detail.
Going Deeper: Understanding Digital Privacy
If this migration got you thinking about your broader digital security posture, these books are worth your time. They're not technical manuals—they're accessible reads that'll change how you think about the data you give away every day.
"Extreme Privacy" by Michael Bazzell (4th Edition)
The definitive guide to digital privacy from a former FBI cyber investigator. Dense but practical. Chapter on password management alone is worth the price.
"The Art of Invisibility" by Kevin Mitnick
Written by the world's most famous hacker (reformed). More accessible than Bazzell's book. Great for understanding why these precautions matter through real-world stories.
What to Do This Week
You've done the hard part. Your passwords are in Bitwarden, 2FA is set up, and you've got the extension and mobile app running. Here's what to focus on over the next few days:
- Use Bitwarden for every login. Resist the urge to type passwords from memory. Force yourself to use the extension. It takes a day or two to build the muscle memory.
- Change your 5 most important passwords. Start with email, banking, and anything financial. Use Bitwarden's generator—20+ characters, all character types.
- Enable 2FA on your email. If someone gets your email, they can reset every other password. Your email account should have the strongest possible protection. If you're on ProtonMail, use your YubiKey.
- Delete the Chrome export CSV. Seriously, if you haven't already.
- Set a calendar reminder for 2 weeks out to delete saved passwords from Chrome once you've confirmed Bitwarden is working smoothly.
Over the following weeks, work through your vault and replace any reused or weak passwords. Don't try to do them all at once—that's a recipe for burnout. Five a day is plenty. Within a month, you'll have a vault full of strong, unique passwords and you'll wonder why you ever trusted Chrome with something this important.
If you're taking this seriously (and the fact that you read this far says you are), the next logical step is locking down your internet connection. A good VPN is the other half of the equation. Check our VPN comparison guide for recommendations that actually hold up to scrutiny.
Welcome to actually owning your passwords. It feels good, doesn't it?