🔑

How to Protect Your Passwords

8 minute read

Simple, practical rules for creating strong passwords and keeping your accounts safe.

Passwords protect everything—your email, your bank accounts, your social media, your photos. If someone gets your password, they can pretend to be you, steal your money, or lock you out of your own life.

The good news is that a few simple habits can make your passwords much harder to crack. This guide explains what really works.

The Two Rules That Matter Most

If you only remember two things from this guide, remember these:

Rule 1: Never Use the Same Password Twice

This is the most important rule. Here’s why:

Websites get hacked all the time. When that happens, criminals get lists of emails and passwords. They then try those passwords on other websites—banks, email, Amazon, everything.

If you use the same password everywhere, one breach compromises everything.

Real example: LinkedIn was hacked in 2012. Millions of passwords were stolen. Criminals used those passwords to break into people’s bank accounts, email, and other services—because people had reused their LinkedIn password elsewhere.

One account = One unique password. No exceptions.
At minimum, your email, bank, and any financial accounts should each have their own unique password.

Rule 2: Make Passwords Long

Length beats complexity. A long password is much harder to crack than a short, complicated one.

Password How Long to Crack
P@55w0rd A few minutes
Sunshine A few seconds
correct-horse-battery-staple Centuries
I love walking my dog Max every morning! Billions of years

The complicated-looking “P@55w0rd” seems secure but is actually quite weak. A simple four-word phrase is far stronger.

Aim for at least 12 characters, ideally more.

How to Create Strong Passwords

You don’t need random symbols and numbers that are impossible to remember. These methods work better:

String together 4 or more random words:

  • coffee-mountain-purple-tuesday
  • correct-horse-battery-staple
  • umbrella-pizza-seventeen-garden
  • ocean-bookshelf-butterfly-railroad

Pick words that don’t normally go together. Avoid famous phrases, song lyrics, or quotes.

Why this works: Each word adds enormous complexity. Four random words = trillions of possibilities.

How to remember: Create a silly mental image. “A purple umbrella eating pizza on a mountain on Tuesday.”

Method 2: The Sentence Method

Use a complete sentence—ideally one that’s meaningful to you:

  • “My first apartment was on Oak Street in 1987!”
  • “I love walking my dog Max every morning!”
  • “Grandma’s apple pie is the best in Ohio!”

The spaces, capital letters, and punctuation all add strength. And sentences are easy to remember.

Tip: Make it personal but not obvious. Something only you would think of.

Method 3: First Letters + Numbers

Take a memorable sentence and use the first letter of each word:

  • “I got married at First Baptist Church on June 15 2002” → “IgmaFBCoJ152002”
  • “My daughter Emma was born at 3am on Christmas Day” → “MdEwba3aoCD”

This creates passwords that look random but have a memory hook.

What to Avoid

These are easily guessed or cracked:

Your name, birthday, or anniversary — Public information

Pet names, kids’ names, spouse’s name — Often on social media

Common passwords — “password,” “123456,” “qwerty,” “letmein”

Sports teams or favorite bands — Guessable from your interests

Simple patterns — “abc123,” “111111,” keyboard patterns

Single dictionary words — Even with numbers added (“sunshine1”)

The same password with small changes — “password1,” “password2,” “password3”

How to Manage All These Passwords

“But I have dozens of accounts! How can I have a unique password for each one?”

This is where password managers come in.

What Is a Password Manager?

A password manager is like a secure digital vault for all your passwords. It:

  • Creates strong unique passwords for every site automatically
  • Stores them securely (encrypted so only you can access them)
  • Fills them in for you when you log into websites
  • Requires you to remember only ONE password — your master password

You don’t have to memorize 50 different passwords. You memorize one strong master password, and the manager handles the rest.

Is It Safe to Store All Passwords in One Place?

Yes—if you do it right:

  • Use a reputable password manager (established company, good security track record)
  • Create a very strong master password (your longest, strongest password)
  • Turn on two-factor authentication for the password manager itself
  • Never share your master password with anyone

This approach is far safer than:

  • Reusing passwords across sites
  • Writing passwords on sticky notes
  • Using weak passwords you can remember
  • Keeping a list in a document on your computer

Free options:

  • Bitwarden — Free, works on all devices, very secure, highly recommended
  • Apple Keychain — Built into iPhones, iPads, and Macs (free if you have Apple devices)
  • Google Password Manager — Built into Chrome and Android (free)

Paid options (more features):

  • 1Password — About $3/month, very polished, excellent customer support
  • Dashlane — About $5/month, includes VPN and dark web monitoring

All of these are trustworthy. Pick one and start using it.

Two-Factor Authentication (2FA): Your Backup Lock

Two-factor authentication adds a second layer of protection. Even if someone steals your password, they can’t get in without the second factor.

How It Works

When you log in, you need:

  1. Something you know (your password)
  2. Something you have (your phone or security key)

So a criminal who gets your password still can’t access your account—they don’t have your phone.

Types of Two-Factor Authentication

Text Message (SMS) Codes — Good

  • A code is texted to your phone
  • Easy to set up
  • Better than nothing

Authenticator App — Better

  • Apps like Google Authenticator or Authy generate codes
  • Codes change every 30 seconds
  • More secure than text messages

Security Key — Best

  • Physical device (like a YubiKey) you plug in
  • Impossible to intercept remotely
  • Used by security professionals

For most people, text message codes are fine. Any two-factor authentication is dramatically better than none.

Where to Enable 2FA

At minimum, enable two-factor authentication on:

  • Your email account (most important—email can reset other passwords)
  • Your bank and financial accounts
  • Social media accounts
  • Any account with payment information

Most sites have it in Settings → Security or Settings → Privacy. Look for “Two-Factor Authentication,” “Two-Step Verification,” or “2FA.”

What to Do If a Password Is Compromised

If you discover one of your passwords was stolen (from a data breach notification, suspicious activity, or a check on haveibeenpwned.com):

Immediate Steps

  1. Change that password immediately — Log in and change it now

  2. Change it everywhere you used it — This is why reuse is dangerous. Check every account.

  3. Turn on two-factor authentication — If you haven’t already

  4. Check for unauthorized activity — Look for purchases, messages, or changes you didn’t make

  5. Check haveibeenpwned.com — Enter your email to see what breaches you’ve been part of

Signs Your Password May Be Compromised

  • You receive a data breach notification email
  • You see login attempts from unknown locations
  • Your password suddenly stops working
  • You receive password reset emails you didn’t request
  • Friends say they got strange messages from you

Passwords You Should Never Share

Some things feel safe to share but aren’t:

Don’t share passwords with family members — Create separate accounts instead

Don’t give your password to “tech support” — Real tech support doesn’t need your password

Don’t email passwords — Email isn’t secure

Don’t text passwords — Texts aren’t secure either

Don’t tell passwords over the phone — Especially if someone called you

If someone legitimately needs access to an account, add them as an authorized user through the official process—don’t share your password.

Quick Summary

Use a unique password for every account — One breach shouldn’t compromise everything

Make passwords long — 12+ characters, ideally a passphrase

Consider a password manager — Bitwarden is free and excellent

Turn on two-factor authentication — Especially for email and financial accounts

Never share passwords — Not even with people you trust

Check haveibeenpwned.com — See if your information has been exposed