Why Password Hygiene Still Matters
Data breaches happen constantly. When a site you use is compromised, the attackers get your email address and password. If you've reused that password elsewhere — and most people have — attackers can use it to access your email, banking, or social media accounts through a technique called credential stuffing. It's automated, fast, and extremely common.
Good password practices won't make you immune to every threat, but they eliminate one of the most common vectors of account compromise entirely.
Step 1: Understand What Makes a Password Strong
A strong password has two essential qualities: it is long and unique.
- Length — Each additional character dramatically increases the time required to crack a password by brute force. Aim for a minimum of 16 characters.
- Uniqueness — Every account should have a different password. If one account is compromised, the others remain safe.
Complexity (mixing uppercase, numbers, symbols) helps, but length matters more. A long, random passphrase is harder to crack than a short, complex string.
Step 2: Use a Password Manager
The honest truth is that no human can memorise dozens of unique, 20-character random passwords. That's why password managers exist. They generate, store, and auto-fill strong passwords for every account — you only need to remember one master password.
When choosing a password manager, look for:
- End-to-end encryption (your vault is encrypted before it leaves your device)
- Cross-device syncing (works on your phone and computer)
- A reputable security track record and regular third-party audits
- A built-in password generator
Well-regarded options exist across free and paid tiers — research current reviews to find the one that fits your needs and budget.
Step 3: Create a Strong Master Password
Your password manager's master password is critical — it's the one you must memorise and the one that protects everything else. Use a passphrase: a string of four or more random, unrelated words.
For example: correct-horse-staple-battery (a classic example) is long, memorable, and hard to brute-force. Add a number or symbol if the service requires it. Never use a phrase from a book, film, or common saying — those are tested by attackers first.
Step 4: Enable Two-Factor Authentication (2FA)
Two-factor authentication adds a second verification step when logging in — usually a code from an app or sent by SMS. Even if an attacker has your password, they can't get in without the second factor.
- Enable 2FA on your email account first — it's the key to resetting everything else.
- Then enable it on your password manager.
- Then on banking, social media, and any other important accounts.
An authenticator app (rather than SMS) is more secure, as SMS can be intercepted via SIM-swapping attacks.
Step 5: Audit Your Existing Passwords
Once you have a password manager, import or manually add your existing accounts. Most password managers include a built-in audit tool that flags:
- Reused passwords
- Weak or short passwords
- Passwords found in known data breaches
Work through the flagged accounts systematically, replacing each one with a generated password from your manager. You don't have to do it all at once — prioritise email, banking, and accounts that hold payment information.
Quick Reference Checklist
- ☑ Use a password manager
- ☑ Generate unique passwords for every account (16+ characters)
- ☑ Memorise a strong passphrase as your master password
- ☑ Enable 2FA on all important accounts
- ☑ Audit and replace weak or reused passwords
- ☑ Never share passwords via email or text