Creating, managing, and protecting the keys to your digital life.
Why Passwords Matter
Your password is often the only thing between an attacker and your accounts. A weak or reused password is like using the same flimsy lock on your house, car, and bank vault.
| Password Problem | Real-World Consequence |
|---|
| Weak password | Cracked in seconds to minutes |
| Reused password | One breach compromises everything |
| Written on sticky note | Anyone with access can see it |
| Shared with others | No accountability or control |
| Never changed after breach | Attacker retains access |
What Makes a Password Strong
Length vs. Complexity
Length matters more than complexity:
| Password | Strength | Time to Crack |
|---|
| P@ssw0rd | Terrible | Seconds |
| MyDog2020! | Bad | Minutes |
| K7$mP2@nQ9! | Moderate | Hours to days |
| correcthorsebatterystaple | Good | Years |
| Hk8$mN2@pL5!xR9wQj7 | Excellent | Centuries |
Key insight: A 20-character password with just lowercase letters is stronger than an 8-character password with symbols.
| Factor | Impact on Security |
|---|
| Length | Exponential increase per character |
| Character variety | Increases possible combinations |
| Randomness | Prevents dictionary attacks |
| Uniqueness | Limits breach damage |
Bad Password Patterns
Attackers know these patterns:
| Pattern | Examples | Why It's Weak |
|---|
| Dictionary words | password, welcome | First thing attackers try |
| Name + numbers | John1990, Mike2024 | Easily researched |
| Keyboard patterns | qwerty, 123456 | Well-known sequences |
| Simple substitutions | p@ssw0rd, h3llo | Attackers test these |
| Personal info | Birthday, pet name | Found on social media |
| Season + year | Summer2024!, Winter2023 | Common corporate pattern |
Password Managers
You cannot remember strong, unique passwords for dozens of accounts. Use a password manager.
How Password Managers Work
- Generate random, strong passwords for each account
- Store them in an encrypted vault
- Auto-fill passwords in browsers and apps
- Sync across your devices
- You remember one master password
Recommended Password Managers
| Manager | Price | Best For |
|---|
| 1Password | $3/month | Families, ease of use |
| Bitwarden | Free / $10/year | Budget-conscious, open source |
| Dashlane | $5/month | Extra features (VPN, dark web monitoring) |
| KeePassXC | Free | Technical users, local-only storage |
Setting Up a Password Manager
- Choose your manager - Any reputable one is better than none
- Create master password - Make it very strong and memorable
- Install everywhere - Browser extensions, phone apps, desktop
- Import existing passwords - Start from browser or old manager
- Audit and replace - Change weak and reused passwords
- Enable 2FA on the manager - Protect the master vault
Master Password Strategy
Your master password must be:
- Memorable (you can't store it in the manager)
- Long (16+ characters minimum)
- Unique (never used anywhere else)
- Resistant to guessing
Passphrase method:
| Step | Example |
|---|
| Pick 4-5 random words | correct horse battery staple |
| Add personal twist | Correct-Horse-Battery-STAPLE-42 |
| Make it memorable | Create a mental image |
Never forget this password. Consider a secure physical backup.
Password Hygiene
The Golden Rules
| Rule | Reason |
|---|
| One password per account | Breach containment |
| Minimum 16 characters | Cracking resistance |
| Randomly generated | No patterns to exploit |
| Never share passwords | Accountability and security |
| Change after any breach | Remove attacker access |
When to Change Passwords
| Situation | Action |
|---|
| Account in known breach | Change immediately |
| Shared with ex-partner | Change immediately |
| Suspicion of compromise | Change immediately |
| Regular schedule | Not necessary with unique passwords |
| Company policy requires | Comply, but use password manager |
Password Security Questions
Security questions are effectively backup passwords. Treat them that way:
| Bad Approach | Better Approach |
|---|
| Real mother's maiden name | Random answer stored in manager |
| Actual first car | Unrelated word or phrase |
| Real hometown | Nonsense answer you can retrieve |
Why: Answers to real questions can be researched or guessed.
Checking for Compromises
Have I Been Pwned
Visit haveibeenpwned.com to check if your email appears in known breaches:
- Enter your email address
- See list of breaches containing your data
- For each breach, change that password
- If password was reused, change everywhere
Signs Your Password May Be Compromised
| Warning Sign | What to Do |
|---|
| Login notification you didn't trigger | Change password, check account activity |
| Password reset email you didn't request | Change password, enable 2FA |
| Account locked for failed attempts | Someone is trying to get in |
| Unknown devices in account settings | Remove them, change password |
| Friends receive spam "from you" | Account likely compromised |
Special Cases
Shared Accounts
For accounts that must be shared (family Netflix, etc.):
| Do | Don't |
|---|
| Use password manager sharing feature | Text or email passwords |
| Create dedicated shared vault | Reuse passwords from personal accounts |
| Update when sharing ends | Use guessable passwords for convenience |
Work vs. Personal
| Recommendation | Reason |
|---|
| Separate password managers | Company may have access to work manager |
| Never reuse between work/personal | Breach at one doesn't affect other |
| Follow company security policies | Legal and professional obligation |
Device Passwords and PINs
| Device | Minimum Recommendation |
|---|
| Computer login | 12+ character password |
| Phone unlock | 6-digit PIN minimum (biometric + PIN ideal) |
| Tablet | Same as phone |
| Smart home hub | Unique, strong password |
WiFi Passwords
| Recommendation | Reason |
|---|
| WPA3 or WPA2 only | Older protocols are broken |
| 20+ random characters | Networks are long-term targets |
| Change if shared widely | Limit who has access |
| Guest network for visitors | Don't share main password |
Common Password Mistakes
| Mistake | Why It's Dangerous |
|---|
| Using browser's "remember" without master password | Anyone with device access can see passwords |
| Storing in notes app | Usually not encrypted |
| Emailing passwords | Email isn't secure |
| Using same password "with variations" | Easily guessed from one known password |
| Password hints that reveal password | Defeats the purpose |
| Not logging out of shared computers | Next user has your access |
Password Recovery
Setting Up Account Recovery
| Recovery Option | Security Level | Convenience |
|---|
| Backup codes (save in manager) | High | Moderate |
| Recovery email (secured with 2FA) | Good | Good |
| Phone number | Moderate (SIM swap risk) | Very easy |
| Security questions | Low | Easy |
What If You're Locked Out
- Use recovery codes if you saved them
- Try recovery email - ensure that account is also secure
- Contact support - prepare identity verification
- Learn from it - set up better recovery options
Password Manager Emergency Access
What happens to your passwords if you're incapacitated?
| Manager | Emergency Access Feature |
|---|
| 1Password | Shared vaults, emergency kit |
| Bitwarden | Emergency access contacts |
| Dashlane | Emergency contact feature |
| KeePassXC | Share vault file + password |
Plan ahead: Document how trusted family members can access critical accounts.
Transitioning to a Password Manager
Phase 1: Critical Accounts (Week 1)
| Account Type | Action |
|---|
| Email (primary) | Add to manager, enable 2FA |
| Bank/Financial | Add to manager, enable 2FA |
| Password manager itself | Strong master password, 2FA |
Phase 2: Important Accounts (Week 2-3)
| Account Type | Action |
|---|
| Social media | Add to manager, update to unique password |
| Shopping sites | Add to manager, especially if card stored |
| Cloud storage | Add to manager, enable 2FA |
Phase 3: Everything Else (Ongoing)
- Add accounts as you use them
- Generate new password when adding to manager
- Audit for old reused passwords
- Delete unused accounts
Key Takeaways
- Length beats complexity - 20 characters of lowercase is better than 8 characters with symbols
- Never reuse passwords - One breach should never compromise multiple accounts
- Use a password manager - You cannot remember good passwords for all your accounts
- Master password is critical - Make it strong, memorable, and unique
- Check haveibeenpwned.com - Know if your credentials are in breaches
- Security questions need random answers - Store fake answers in your manager
- Set up account recovery - Don't get locked out of important accounts
- Plan for emergencies - Trusted family should be able to access critical accounts
- Transition gradually - Start with critical accounts, then expand
- Generate, don't create - Let the password manager create passwords for you