Why Your Password Habits Probably Need an Upgrade
Using "password123" or your pet's name across multiple accounts is one of the most common — and dangerous — habits in digital life. When a data breach exposes your credentials at one site, attackers try those same credentials everywhere else. This is called credential stuffing, and it's extremely common.
The good news: creating strong, secure passwords doesn't require a computer science degree. It requires a few smart habits and the right tools.
What Makes a Password Strong?
A strong password has these characteristics:
- Length: At least 12 characters. Longer is better. Length is actually more important than complexity.
- Variety: Mix of uppercase, lowercase, numbers, and symbols.
- Uniqueness: Different for every account. Reusing passwords is the single biggest mistake people make.
- Unpredictability: No dictionary words, personal info (birthdays, names), or obvious patterns.
Strategy 1: The Passphrase Method
Instead of a complicated string of characters, use a passphrase — a sequence of random words strung together. For example:
correct-horse-battery-staple
This approach, popularized by security researcher Bruce Schneier and the XKCD comic, creates passwords that are both long (high entropy) and easier to remember than xK#9!mQ2. Add numbers or symbols between words to strengthen it further: correct7Horse!battery
Strategy 2: Use a Password Manager
This is the gold standard recommendation from security professionals. A password manager generates, stores, and auto-fills unique complex passwords for every site. You only need to remember one strong master password.
Well-regarded free options include:
- Bitwarden — Open-source, free tier is excellent, cross-platform
- KeePass — Fully local storage, no cloud, maximum control
- Apple Keychain / Google Password Manager — Built-in, convenient if you stay within their ecosystems
What to Avoid
| Bad Practice | Why It's Risky |
|---|---|
| Using your name or birthday | Easily guessed or found via social media |
| Reusing passwords | One breach exposes all your accounts |
| Simple substitutions (p@ssw0rd) | Attackers know these patterns — they're in every dictionary attack |
| Storing passwords in plain text | A notes app or spreadsheet is not secure |
| Sharing passwords via SMS or email | Neither channel is reliably encrypted |
Enable Two-Factor Authentication (2FA)
Even the strongest password can be compromised. Two-factor authentication (2FA) adds a second layer — typically a time-sensitive code from an app like Authy or Google Authenticator — that an attacker would need even if they had your password.
Enable 2FA on every account that supports it, prioritizing:
- Email accounts (they're the master key to everything else)
- Banking and financial services
- Social media accounts
- Any account storing payment information
Check If Your Passwords Have Been Exposed
Visit haveibeenpwned.com — a free, reputable service run by security researcher Troy Hunt — to check if your email or passwords have appeared in known data breaches. If they have, change those passwords immediately.
Strong password hygiene is one of the highest-impact security improvements you can make, and most of it requires no technical expertise — just a change in habit.