Why Your Password Habits Probably Need an Upgrade
Reusing the same password across multiple sites is one of the most common — and dangerous — digital habits. When one site is breached (and breaches happen constantly), attackers automatically try that username and password combination on banks, email providers, and social networks. This is called credential stuffing, and it works far more often than it should.
The good news: fixing this doesn't require memorizing dozens of complex strings. It requires a simple system.
What Makes a Password Strong?
A strong password has three qualities:
- Length: At least 12 characters, ideally 16 or more. Length matters more than complexity.
- Unpredictability: It doesn't contain your name, birthdate, pet's name, or dictionary words in obvious combinations.
- Uniqueness: It's used for exactly one account and nothing else.
The Passphrase Method (For Passwords You Must Memorize)
For accounts you need to type manually — like your computer login or primary email — use a passphrase: a string of four or more random words strung together.
Example: correct-horse-battery-staple
This is both long (28 characters) and memorable. Add a number or symbol if required: correct-horse-battery-staple7. The randomness of the words is what makes it strong — don't use a famous phrase or song lyric.
The Best Solution: A Password Manager
For every other account, stop trying to memorize passwords. Use a password manager — it generates, stores, and auto-fills unique strong passwords for every site you use. You only need to remember one master password.
Reputable Password Managers to Consider
| App | Free Tier | Platforms | Notable Feature |
|---|---|---|---|
| Bitwarden | Yes (full-featured) | All platforms | Open source, highly audited |
| 1Password | No (paid only) | All platforms | Travel Mode, family sharing |
| Dashlane | Limited | All platforms | Dark web monitoring |
| KeePassXC | Yes (fully free) | Desktop | Fully local, no cloud |
Two-Factor Authentication: Your Second Line of Defense
Even a perfect password can be stolen through phishing. Two-factor authentication (2FA) means that even if someone gets your password, they still can't log in without a second verification step — usually a code from your phone.
Enable 2FA on these accounts first:
- Your email (this is the master key to all other accounts)
- Your password manager
- Your bank and financial accounts
- Social media accounts
Use an authenticator app like Aegis (Android), Raivo (iOS), or Google Authenticator rather than SMS codes when possible — SMS 2FA can be intercepted via SIM-swapping attacks.
Passwords to Change Right Now
- Any password shorter than 10 characters
- Any password you use on more than one site
- Passwords that include your name, birth year, or simple keyboard patterns (qwerty, 123456)
- Passwords you haven't changed since a service you use was breached (check haveibeenpwned.com)
The Five-Minute Action Plan
- Download Bitwarden (free) and install the browser extension.
- Create a strong master passphrase and store it somewhere physically safe.
- Enable 2FA on your email account today.
- Next time you log into any site, let your password manager generate and save a new unique password for it.
- Over the next week, update your most important accounts (bank, email, shopping).
You don't need to fix everything at once. Start with the accounts where a breach would hurt most, and build from there.