- 🔑
Use a password manager. Tools like Bitwarden, 1Password, or KeePass generate and store unique passwords for every site. You only need to memorize one strong master password.
- 📏
Length beats complexity. A 20-character lowercase password is stronger than an 8-character one with symbols. Aim for 16+ characters minimum.
- 🔁
Never reuse passwords. Data breaches happen constantly. If you reuse a password, one breach compromises all your accounts (credential stuffing).
- 📲
Enable two-factor authentication (2FA). Even if your password leaks, 2FA stops attackers. Use an authenticator app (TOTP) rather than SMS when possible.
- 🚫
Avoid dictionary words alone. Attackers run wordlist attacks first. Single words, names, or common phrases with letter substitutions (p@ssw0rd) are cracked in seconds.
- 🔒
Use a passphrase for memorizable secrets. Four to six random words (diceware) are both memorable and very strong — ideal for master passwords or disk encryption.
- 📧
Use unique email aliases per service. Services like SimpleLogin or Apple Hide My Email let you know exactly which site leaked your address.
- 🕵️
Check Have I Been Pwned. Regularly search haveibeenpwned.com to see if your email or passwords have appeared in known breaches.
- ⚡
Change compromised passwords immediately. If a site you use announces a breach, change that password (and any reused copies) right away.
- 🖥️
Never type passwords on untrusted devices. Public computers, shared kiosks, or unfamiliar devices may have keyloggers. Use your own device whenever possible.