Weak or reused passwords are among the leading causes of account compromise. Most successful attacks do not involve sophisticated hacking — they rely on people using the same password across multiple services, so when one site suffers a data breach, credentials work across dozens of others. This guide covers the practices that have the most impact on your actual security posture.
Use a Unique Password for Every Account
This is the single most important password practice. When a company's database is breached (which happens regularly — to small sites and major platforms alike), attackers obtain usernames and passwords in bulk and test them across other services immediately. If your email password is the same as your banking password, a breach at a forum you signed up for years ago can expose your finances. Use a different password for every site and service.
Use a Password Manager
Maintaining unique passwords for dozens of accounts is only feasible if you use a password manager. Good password managers (Bitwarden, 1Password, KeePass) generate strong random passwords and store them securely, so you only need to remember one master password. Most autofill credentials into login forms, eliminating the need to type passwords manually. A password manager is not a security risk — it is a significant security improvement over the alternative of reusing simple passwords or writing them down.
Make Passwords Long and Random
Length is more important than complexity. A random 16-character password using only lowercase letters (26^16 ≈ 43 bits of entropy per character set, ~104 bits total) is stronger than a carefully crafted 10-character password mixing cases, numbers, and symbols. Use the Password Generator to create genuinely random passwords of 16+ characters. Avoid patterns, phrases, or personal information — attackers use wordlists and rules-based cracking that exploit predictable choices.
Enable Two-Factor Authentication (2FA)
Two-factor authentication requires a second verification step (a code from an authenticator app, a hardware key, or a one-time SMS code) in addition to your password. Even if your password is stolen, an attacker cannot access your account without the second factor. Enable 2FA on every account that supports it — prioritise email, banking, and any account connected to payment methods. Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are more secure than SMS-based 2FA, which is vulnerable to SIM-swapping attacks.
Recognise Phishing — Your Password is Only as Safe as How You Enter It
Phishing attacks trick you into entering your credentials on a fake login page that looks like the real site. A strong password offers no protection against phishing because you hand the password to the attacker directly. Before entering a password, check the URL in the address bar carefully — look for the exact domain (google.com, not google-security.com) and ensure the connection is HTTPS. Authenticator apps and hardware security keys are phishing-resistant because they verify the actual website domain; SMS codes are not.
What to Do After a Breach
If a service you use reports a breach, change your password for that service immediately, then check whether you used the same password anywhere else and change those too. Enable 2FA if you have not already. Use a service like Have I Been Pwned (haveibeenpwned.com) to check whether your email address appears in known breach databases. If you receive an email claiming a breach and asking you to click a link, verify it independently rather than clicking — phishing emails often follow real breach news.