01 Why Passwords Still Matter
Even with 2FA on every account, your password is the first barrier an attacker must break. If it falls, they may still gain access through session hijacking, social engineering, or services that don't support 2FA.
The reuse problem
The average person reuses 5–7 passwords across dozens of accounts. When one site is breached, attackers run those credentials against every other major service automatically — a technique called credential stuffing. One breach becomes many.
02 The Modern Rules for Strong Passwords
The old rules — forced complexity, mandatory 90-day expiry — have been retired by security experts. Here is what actually works in 2026:
Do
- Length first. 16–25+ characters minimum. Length beats complexity every time.
- Use passphrases for anything you type manually — multiple random words are strong and memorable.
- Make every account unique. No password appears on more than one account.
- Use a password manager to generate and store truly random passwords.
- Change passwords only when there is a reason — breach alert, suspected compromise, or sharing ended.
Don't
- Use names, birthdays, pet names, sports teams, or any personal info.
- Use predictable substitutions — P@ssw0rd is the first pattern crackers try.
- Reuse the same password or minor variations (Password1, Password2, Password1!).
- Write passwords on paper, sticky notes, or unencrypted text files.
- Use any single dictionary word alone — dictionary attacks cover millions of words.
Good Passphrase Examples
Passphrases are ideal for your master password — the one you must memorise. For everything else, let a password manager generate a truly random string.
03 Password Strength Comparison
How different password types perform against modern cracking methods.
| Example Password | Length | Type | Time to Crack |
|---|---|---|---|
| password | 8 | Dictionary word | Instant |
| P@ssw0rd1 | 9 | Predictable substitution | Seconds |
| Tr0ub4dor&3 | 11 | Complex but short | Hours–Days |
| BlueSkyRainyDay | 15 | Passphrase (no symbols) | Years |
| BlueSky@RainyDay#2025 | 21 | Passphrase (with symbols) | Centuries |
| X7$pL9#kM2@vQ8&nR4%tY6 | 22 | Random generated | Heat death of universe |
04 Password Generator
Generate a secure password or passphrase right now. Everything runs locally in your browser — no data is sent anywhere.
Privacy guaranteed
This generator runs entirely in your browser using the crypto.getRandomValues() API — cryptographically secure, no network requests, nothing stored or transmitted. You can go offline and it will still work.
05 Password Managers: Which to Choose
A password manager generates unique, random passwords for every account, auto-fills them, and alerts you to breaches — removing the impossible burden of memorising dozens of strong passwords.
Best overall for most people. Fully open-source and audited. Free tier covers all core features across unlimited devices.
- Cross-platform (all devices)
- Built-in TOTP (premium)
- Breach monitoring
- Self-host option
Premium experience with excellent family/team sharing, Travel Mode, and Watchtower breach alerts.
- Travel Mode (hide vaults)
- Watchtower breach monitor
- Passkey support
- Family plans available
From the Proton privacy ecosystem. Open-source with end-to-end encryption and email alias generation.
- End-to-end encrypted
- Email alias hide-my-email
- Open-source
- Integrated with Proton suite
Apple Keychain, Google Password Manager, Microsoft Edge. Good if you stay within one ecosystem — better than nothing.
- Zero setup cost
- Deep OS/browser integration
- Limited cross-ecosystem use
- Fewer advanced features
Enable these features after installing
Auto-fill, breach monitoring alerts, the built-in password generator, and TOTP/2FA storage if available. Most managers also support secure password sharing — useful for family accounts or team credentials.
06 Complete Management Workflow
Once your manager is set up, follow this ongoing workflow to stay on top of your password health.
| Task | How to Do It | Frequency |
|---|---|---|
| Create new passwords | Use the manager's built-in generator — never type your own | Every new account |
| Update weak passwords | Start with email → banking → social media → everything else | Prioritise now, ongoing |
| Check for breaches | Use HaveIBeenPwned.com or the manager's built-in checker | Monthly |
| Audit saved passwords | Review health dashboard for duplicates, reused, or weak passwords | Every 3–6 months |
| Export encrypted backup | Export vault and store in an encrypted, safe offline location | After major changes |
07 Advanced Tips: Passkeys & Diceware
Passkeys — Better Than Passwords
Passkeys are cryptographic key pairs that replace passwords entirely. You authenticate with biometrics or your device PIN — there is no password to steal or enter on a fake site. They are phishing-resistant by design.
Major services already supporting passkeys include Google, Apple, Microsoft, GitHub, and PayPal. Look for "Sign in with a passkey" in security settings and enable it wherever available.
The Diceware Method
Diceware generates a provably random passphrase using physical dice and a public word list — trustworthy even if you distrust software. Roll five dice, read the 5-digit result, look it up in the Diceware word list. Repeat per word. Six words gives ~77 bits of entropy — effectively uncrackable.
Password + 2FA is the combination
Strong passwords and 2FA work together — neither substitutes for the other. See our 2FA setup guide if you haven't enabled it yet.
08 Transition Plan (Starting from Scratch)
Switching to a password manager feels daunting. This four-week plan makes it manageable without disrupting daily access.
Choose Bitwarden (recommended) and create your master password — a strong passphrase of 20+ characters you must memorise. Enable 2FA on the manager itself before anything else. Use the passphrase generator above to create your master password.
Change passwords on email, banking, and your password manager account. Generate new, random passwords with the manager for each. Confirm you can log in before closing the tab. Save backup codes.
Work through social media, work accounts, cloud storage, and any site with saved payment info. Use the manager's password health dashboard to identify reused or weak passwords and replace them.
Every new account gets a manager-generated password. When you log into old accounts you haven't updated yet, change the password at that moment. Within a few months every account will have a strong, unique credential.
Master password rule
Your master password must be long (20+ characters), unique (never used elsewhere), and memorised — not stored in the manager itself. Write it on paper and store it somewhere physically secure as a last resort backup.
09 Common Mistakes to Avoid
Mistake
- Reusing the same password everywhere or using slight variations
- Thinking "no one would target me" — credential stuffing is automated
- Relying on browser-saved passwords without a dedicated manager
- Ignoring breach notifications from your manager or HaveIBeenPwned
- Storing passwords in plain text files, spreadsheets, or note apps
Fix
- Use a manager to generate a completely unique password for every account
- Enable breach monitoring and act on alerts within 24 hours
- Use a dedicated password manager with its own strong master password
- Set a monthly reminder to check HaveIBeenPwned if your manager lacks monitoring
- Store everything encrypted inside your password manager vault
Passwords Under Control
Once your manager is set up and critical accounts are updated, password security becomes effortless. Most people who make the switch say it actually saves time.