Why Password Security Still Matters

Data breaches happen constantly. Millions of usernames and passwords are leaked every year, ending up for sale on the dark web and used in automated attacks called credential stuffing. The good news: a few straightforward habits dramatically reduce your risk, and you don't need to be a cybersecurity expert to implement them.

What Makes a Password Weak?

Before building good habits, it helps to understand common mistakes. Weak passwords share these traits:

  • Short length (under 10 characters)
  • Common words or phrases ("password", "letmein", "welcome")
  • Personal information (birthdays, names, pet names)
  • Simple substitutions (p@ssw0rd — these are well-known to attackers)
  • Reused across multiple accounts

If any of your passwords fit these descriptions, they're worth changing today.

What Makes a Password Strong?

Modern security guidance from organisations like the National Institute of Standards and Technology (NIST) emphasises length over complexity. A long passphrase made of random words is both easier to remember and harder to crack than a short string of symbols.

The Passphrase Approach

Instead of Tr0ub4dor&3, consider something like correct-horse-battery-staple. This approach:

  • Is significantly longer (more entropy)
  • Is far easier to remember
  • Is harder for automated tools to crack

Key Characteristics of a Strong Password

  1. Length: At least 12–16 characters; longer is better.
  2. Randomness: Avoid patterns or predictable structures.
  3. Uniqueness: Every account gets its own password — no exceptions.

Use a Password Manager

The most common objection to strong, unique passwords is: "I can't remember all of those." That's exactly what a password manager is for.

A password manager stores all your passwords in an encrypted vault, protected by a single strong master password. You only need to remember one. It also:

  • Generates truly random strong passwords for you
  • Auto-fills login forms across devices
  • Alerts you when a stored password appears in a known breach
  • Works across browsers and mobile apps

Well-known options include Bitwarden (open source and free), 1Password, and Dashlane. Using any reputable password manager is a significant upgrade over reusing a handful of memorable passwords.

Enable Two-Factor Authentication (2FA)

Even the strongest password can be compromised. Two-factor authentication (2FA) adds a second layer — typically a time-sensitive code from an app or a text message — so that a stolen password alone isn't enough to access your account.

Prioritise enabling 2FA on your most sensitive accounts first:

  1. Email (your email is the master key to most other accounts)
  2. Banking and financial services
  3. Social media accounts
  4. Cloud storage (Google Drive, iCloud, Dropbox)
  5. Work tools and communication platforms

Authenticator apps (like Google Authenticator or Authy) are more secure than SMS codes, though even SMS-based 2FA is far better than none.

Check if Your Passwords Have Been Compromised

The website Have I Been Pwned (haveibeenpwned.com) lets you check whether your email address appears in known data breaches. If it does, change the password for the affected service immediately — and any other account where you used the same password.

Quick Security Checklist

  • ☑ Use unique passwords for every account
  • ☑ Make passwords at least 12–16 characters long
  • ☑ Use a password manager to generate and store them
  • ☑ Enable 2FA on all critical accounts
  • ☑ Check your email on Have I Been Pwned
  • ☑ Change passwords after any known breach

Final Thoughts

Online security doesn't have to be overwhelming. Start with a password manager and 2FA on your email, and you'll have addressed the vast majority of your risk. These simple steps take less than an hour to set up and provide lasting protection.