Plan a safe move into a password manager from browser autofill, spreadsheets, sticky notes, or another vault. Pick categories, devices, recovery state, and risk level. No passwords, no exports, no logins.
Readiness score
46/100
Prepare first. The checklist sequences recovery and prep before any import.
Readiness
46/100
Prepare first
Devices
2 selected
Needs spare path
Sharing
Couple or partner
Shared-vault scope
Copy this into a private vault note or download a local text file. The report intentionally avoids passwords and account names.
Password manager migration checklist Readiness score: 46/100 (Prepare first) Account categories: Email and recovery, Password manager itself, Banking and payments, Device ecosystem, Work and admin, Shopping with cards Devices: Personal phone, Personal computer Current password sources: Browser passwords 2FA state: Strong on some Recovery state: Partial Shared-vault need: Couple or partner Risk level: Elevated Phased migration checklist: 1. [Phase 1 Prepare] Choose vault and recovery model on paper first - Decide where the vault syncs, what unlocks it, who can recover it, and whether a hardware key or recovery sheet is involved. Do not type real passwords or recovery codes into this page. 2. [Phase 1 Prepare] Set a strong, unique master password - Pick a long passphrase that is not reused on any other account. Practice typing it from memory before unlocking critical accounts with it. 3. [Phase 1 Prepare] Build the recovery kit before importing anything - Verify a separate recovery email, generate fresh backup codes for critical accounts, and store the vault recovery key offline. Without this, a forgotten master password can lock you out permanently. 4. [Phase 1 Prepare] Enroll a spare device or hardware key - Add a second trusted device or hardware key to the vault before removing old credential paths. A single-device vault is fragile. 5. [Phase 1 Prepare] Plan a clean browser password export - Identify which browser holds the canonical copy. Plan to export to CSV, import into the vault, and then delete the CSV file along with the browser-stored passwords. 6. [Phase 2 Import] Import in priority order, not all at once - Start with email and the password manager itself, then banking, work, and device ecosystem. Verify sign-in works on the chosen device before moving to the next category. 7. [Phase 2 Import] Test sign-in and 2FA after each batch - After importing a batch, sign out and sign back in from the intended device. Confirm 2FA still works and that recovery codes are stored in or near the vault. 8. [Phase 2 Import] Coordinate work and admin accounts - Check whether work credentials should sit in a managed business vault or behind SSO. Personal vaults sometimes break helpdesk recovery for privileged accounts. 9. [Phase 3 Cleanup] Audit reused and weak passwords - Run the vault's reuse and weak-password report. Rotate the highest-impact reused passwords first, starting with email, banking, work, and device ecosystem accounts. 10. [Phase 3 Cleanup] Remove saved passwords from browsers - After verifying the vault works, turn off browser password saving and clear stored passwords across all browsers and devices to avoid two sources of truth. 11. [Phase 3 Cleanup] Close stale and unused accounts - For subscriptions, trials, and forgotten signups, prefer closing the account over importing a weak password. Fewer accounts means a smaller breach surface. 12. [Phase 4 Maintain] Set up shared vaults with clear ownership - Create a shared vault per group (couple, family, or team), name an owner and a backup owner, and only put accounts that genuinely need sharing inside it. Keep personal accounts in your personal vault. 13. [Phase 4 Maintain] Configure emergency access or trusted contact - Where the vault supports it, set an emergency or trusted contact who can request access after a delay. Document the request process in your offline recovery sheet. 14. [Phase 4 Maintain] Schedule a recovery and reuse review every 6 months - Phones, partners, employers, and devices change. Recheck enrolled devices, recovery email, backup codes, and reused-password reports on a fixed cadence. Accounts to import in order: 1. [Import first] Email and recovery - Import after recovery email and 2FA backup are tested. Reason: Email controls the reset chain for almost everything else. 2. [Import first] Password manager itself - Set master password, recovery key, and emergency contact first. Reason: The vault is the bridge between old and new sign-ins. 3. [Import first] Banking and payments - Import one institution at a time and verify sign-in plus 2FA. Reason: Financial accounts are high value and slow to recover. 4. [Next wave] Work and admin - Check policy, SSO, and managed-vault rules before importing. Reason: Work accounts may require managed vaults or SSO instead. 5. [Next wave] Device ecosystem - Add to vault, then keep passkeys synced via the OS account. Reason: Device accounts anchor recovery for everything else. 6. [Next wave] Shopping with cards - Import after banking; remove unused saved cards during cleanup. Reason: Saved-card accounts spread payment exposure quickly. Safety warnings: 1. Never paste real passwords, master passwords, recovery keys, exported CSV files, or backup codes into this page. The tool only needs categories. 2. Do not email or chat exported password files to yourself. Move them locally and delete after import. 3. After importing browser passwords, sign out of browser sync to avoid resyncing the old saved passwords back onto new devices. 4. Without a documented recovery kit, a forgotten master password or lost device can lock you out of the new vault permanently. Backup and recovery tasks: 1. Document the recovery chain on paper: master password hint location, recovery key, recovery email, spare device, hardware key, emergency contact. 2. Generate fresh backup codes for email, password manager, banking, work, and device ecosystem accounts and store them inside the vault or on the offline recovery sheet. 3. Enroll at least one spare device or hardware key on the vault before removing the old password source. 4. Test sign-in and recovery from a second device after the first batch is imported, not after the migration is finished. 5. For shared vaults, name an owner, a backup owner, and a documented succession plan. Decide what happens to the shared vault if the owner is unavailable. 6. Print or seal an offline recovery sheet that lists where to find each recovery item without writing the secrets themselves. 7. Set a calendar reminder to retest recovery in 30 days, then every 6 months. Do not put real passwords, master passwords, recovery keys, exported CSV files, backup codes, security answers, or identity numbers in this exported plan unless it is stored inside a private vault. Generated locally by https://passlock.to/tools/password-manager-migration-checklist
Decide where the vault syncs, what unlocks it, who can recover it, and whether a hardware key or recovery sheet is involved. Do not type real passwords or recovery codes into this page.
Pick a long passphrase that is not reused on any other account. Practice typing it from memory before unlocking critical accounts with it.
Verify a separate recovery email, generate fresh backup codes for critical accounts, and store the vault recovery key offline. Without this, a forgotten master password can lock you out permanently.
Add a second trusted device or hardware key to the vault before removing old credential paths. A single-device vault is fragile.
Identify which browser holds the canonical copy. Plan to export to CSV, import into the vault, and then delete the CSV file along with the browser-stored passwords.
Start with email and the password manager itself, then banking, work, and device ecosystem. Verify sign-in works on the chosen device before moving to the next category.
After importing a batch, sign out and sign back in from the intended device. Confirm 2FA still works and that recovery codes are stored in or near the vault.
Check whether work credentials should sit in a managed business vault or behind SSO. Personal vaults sometimes break helpdesk recovery for privileged accounts.
Run the vault's reuse and weak-password report. Rotate the highest-impact reused passwords first, starting with email, banking, work, and device ecosystem accounts.
After verifying the vault works, turn off browser password saving and clear stored passwords across all browsers and devices to avoid two sources of truth.
For subscriptions, trials, and forgotten signups, prefer closing the account over importing a weak password. Fewer accounts means a smaller breach surface.
Create a shared vault per group (couple, family, or team), name an owner and a backup owner, and only put accounts that genuinely need sharing inside it. Keep personal accounts in your personal vault.
Where the vault supports it, set an emergency or trusted contact who can request access after a delay. Document the request process in your offline recovery sheet.
Phones, partners, employers, and devices change. Recheck enrolled devices, recovery email, backup codes, and reused-password reports on a fixed cadence.
Import after recovery email and 2FA backup are tested.
Email controls the reset chain for almost everything else.
Set master password, recovery key, and emergency contact first.
The vault is the bridge between old and new sign-ins.
Import one institution at a time and verify sign-in plus 2FA.
Financial accounts are high value and slow to recover.
Check policy, SSO, and managed-vault rules before importing.
Work accounts may require managed vaults or SSO instead.
Add to vault, then keep passkeys synced via the OS account.
Device accounts anchor recovery for everything else.
Import after banking; remove unused saved cards during cleanup.
Saved-card accounts spread payment exposure quickly.
Never paste real passwords, master passwords, recovery keys, exported CSV files, or backup codes into this page. The tool only needs categories.
Do not email or chat exported password files to yourself. Move them locally and delete after import.
After importing browser passwords, sign out of browser sync to avoid resyncing the old saved passwords back onto new devices.
Without a documented recovery kit, a forgotten master password or lost device can lock you out of the new vault permanently.
Document the recovery chain on paper: master password hint location, recovery key, recovery email, spare device, hardware key, emergency contact.
Generate fresh backup codes for email, password manager, banking, work, and device ecosystem accounts and store them inside the vault or on the offline recovery sheet.
Enroll at least one spare device or hardware key on the vault before removing the old password source.
Test sign-in and recovery from a second device after the first batch is imported, not after the migration is finished.
For shared vaults, name an owner, a backup owner, and a documented succession plan. Decide what happens to the shared vault if the owner is unavailable.
Print or seal an offline recovery sheet that lists where to find each recovery item without writing the secrets themselves.
Set a calendar reminder to retest recovery in 30 days, then every 6 months.
No. It only uses categories: account types, devices, current sources, 2FA, recovery state, shared-vault needs, and risk. Do not paste real passwords, exported CSV files, master passwords, recovery keys, or backup codes.
Set the master password, enroll a second device or hardware key, generate fresh backup codes for critical accounts, and write down the offline recovery sheet. Verify recovery before importing.
After import, turn off browser password saving, delete the export CSV, empty notes-app trash and version history, shred paper copies, and decommission the old vault. Keep one sealed offline recovery sheet only.
Passlock for Mac · $14 lifetime
The browser is fine for one-off checks. The app keeps your passwords, passkeys, and notes locked behind your Mac — offline by default, no cloud account, no subscription.
Vault
All items
Bank · login
support@bank.com
iCloud
you@icloud.com
GitHub
@you
Email · personal
you@kitze.io