Password Hygiene Guide

Why Passwords Matter

Your password is the first and often the only barrier between an attacker and your personal data. Email accounts, bank accounts, social media profiles, cloud storage -- all of it is protected by passwords. If an attacker obtains your password, they gain the same level of access that you have, and they can act as you.

The consequences of a compromised password go far beyond a single account. Attackers use stolen email credentials to reset passwords on other services, access private conversations, impersonate you to your contacts, and launch further attacks. A single weak or reused password can unravel your entire digital life.

💡

The Scale of Password Breaches

Billions of username and password combinations have been leaked in data breaches over the past decade. Attackers compile these into massive databases and use automated tools to try them against thousands of websites simultaneously. This technique, called credential stuffing, is why reusing passwords is so dangerous.

What Makes a Strong Password

A strong password resists both automated guessing attacks and human intuition. The two primary factors that determine password strength are length and unpredictability. A password that is long but predictable (such as "aaaaaaaaaaaaaaa") is weak. A password that is random but short (such as "k9$Qz") is also weak. You need both qualities working together.

Length Is More Important Than Complexity

A 20-character password made of lowercase letters is significantly harder to crack than an 8-character password with uppercase, lowercase, numbers, and symbols. This is because each additional character multiplies the number of possible combinations exponentially. Modern password cracking hardware can test billions of short passwords per second, but a sufficiently long password takes centuries to brute-force even with unlimited computing power.

Weak passwords (easily cracked):
  password123          -- Common word + simple numbers
  Summer2024!          -- Predictable pattern (Season + Year + Symbol)
  qwerty               -- Keyboard pattern
  john.smith1985       -- Personal information

Strong passwords (resist cracking):
  correct-horse-battery-staple     -- Long passphrase (4+ random words)
  tK8$mP2!vR4@nL9&wQ6              -- Long random string
  glacier.notebook.railway.cactus  -- Random words with separator

⚠️

Avoid personal information in passwords.

Names, birthdays, pet names, addresses, and phone numbers are the first things attackers try. This information is often publicly available on social media, public records, or previous data breaches. A password built from personal details is not a password -- it is a puzzle with publicly available pieces.

The Passphrase Technique

A passphrase is a password made of multiple random words strung together. Passphrases are both stronger and easier to remember than traditional complex passwords. The key is that the words must be truly random -- not a meaningful sentence, not a quote, and not something you would naturally say.

How to Create a Good Passphrase

The most secure method is to use a word list and a source of randomness. The Diceware method, for example, uses physical dice rolls to select words from a numbered list. Each word adds approximately 12.9 bits of entropy (randomness). A four-word passphrase provides about 51 bits of entropy, and a six-word passphrase provides about 77 bits -- strong enough for almost any purpose.

Generating a Diceware passphrase:

Roll five dice for each word. Look up the result in the Diceware word list.

  Roll: 4-1-6-2-3 --> Word: "mutual"
  Roll: 2-5-3-1-6 --> Word: "floss"
  Roll: 1-3-4-2-5 --> Word: "anvil"
  Roll: 6-2-1-4-3 --> Word: "timber"
  Roll: 3-5-1-6-2 --> Word: "kayak"

Passphrase: mutual-floss-anvil-timber-kayak

This is 64.6 bits of entropy -- strong enough for most accounts.

💡

Why Random Words, Not Sentences?

Natural language has patterns. If you use a grammatically correct sentence as a passphrase, attackers can exploit the predictable structure of language to dramatically reduce the number of guesses needed. "The cat sat on the mat" feels long but is far weaker than four truly random words because each word in a sentence constrains what can follow it.

Password Managers

A password manager is software that generates, stores, and fills in strong, unique passwords for every account you have. You remember one master password to unlock your password vault, and the manager handles everything else. This is the single most impactful step you can take to improve your password security.

Why You Need One

The average person has over 100 online accounts. It is humanly impossible to memorize a unique, strong password for each one. Without a password manager, people inevitably reuse passwords or use weak, memorable ones. A password manager eliminates this tradeoff entirely by removing the need to remember any password other than one master password.

Recommended Password Managers

KeePassXC -- Free, open-source, offline. Your vault is a local encrypted file that you control. No cloud sync unless you set it up yourself. Best for users who want full control.
Bitwarden -- Free tier available, open-source, cloud-synced. Can also be self-hosted. Good balance of convenience and transparency.
1Password -- Paid, proprietary, cloud-synced. Polished user experience and good family/team sharing features.

How to Get Started

Install a password manager and create a strong master password (use the passphrase technique above)
Install the browser extension so it can auto-fill login forms
Start with your most critical accounts -- email, banking, and cloud storage
Generate a new unique password for each account as you log in to it
Over time, replace every reused password with a unique generated one

✅

Your master password is the one password that matters.

Make it a strong passphrase of at least five random words. Memorize it thoroughly. Never write it down in a place that could be discovered. If you forget your master password, you may lose access to your entire vault, so consider storing an emergency copy in a sealed envelope in a secure physical location such as a safe or a safety deposit box.

One Unique Password Per Account

This is the most critical rule of password hygiene: never reuse a password across multiple accounts. Every single account should have its own unique, randomly generated password. No exceptions.

The reason is simple. Data breaches happen constantly, and they are outside your control. When a service gets breached and your password is exposed, attackers immediately try that same email and password combination on hundreds of other services. If you reused that password anywhere, those accounts are now compromised too.

How credential stuffing works:

1. Attacker obtains breach data:
     user@example.com : MyPassword123

2. Attacker runs automated tools against:
     - Gmail
     - Facebook
     - Amazon
     - Banking sites
     - Netflix
     - Every other major service

3. Any account using "MyPassword123" is compromised instantly.

If every account has a unique password, a breach on one
service affects only that one service.

⚠️

Slight variations do not count as unique.

Using "MyPassword1" for Gmail and "MyPassword2" for Facebook is not unique -- it is a pattern. Attackers know people do this and their tools account for it. A truly unique password is one that has no relationship whatsoever to any of your other passwords. Let your password manager generate random strings for you.

Checking for Breached Passwords

Even if you follow good practices now, passwords you used in the past may already be floating around in breach databases. The website Have I Been Pwned (haveibeenpwned.com) lets you check whether your email address or passwords have appeared in known breaches.

Checking Your Email

Visit haveibeenpwned.com and enter your email address. The site will tell you if your email appeared in any known data breaches and which services were involved. This does not mean your current passwords are compromised, but it tells you which accounts have had credentials exposed at some point.

Checking Your Passwords

Have I Been Pwned also offers a password checker at haveibeenpwned.com/Passwords. You can enter a password to see if it appears in any breach database. The check is done securely using a technique called k-anonymity -- your full password is never sent to the server. Only the first five characters of its hash are transmitted, and the matching is done locally on your device.

How the k-anonymity password check works:

1. Your password "example" is hashed with SHA-1:
     SHA-1("example") = C3499C2729730A7F807EFB8676A92DCB6F8A3F8F

2. Only the first 5 characters are sent to the server:
     Request: C3499

3. The server returns ALL hashes starting with C3499
     (typically 500-800 hashes)

4. Your browser checks locally if the full hash matches
     any in the returned list.

Your actual password never leaves your device.

💡

Many password managers integrate breach checking.

KeePassXC, Bitwarden, and 1Password all include features that automatically check your stored passwords against known breach databases. Enable this feature and review the results regularly. Any password that appears in a breach should be changed immediately, regardless of how strong it is.

Changing Compromised Passwords

When you discover that a password has been compromised -- whether through a breach notification, a Have I Been Pwned check, or suspicious account activity -- you need to act quickly and methodically.

Change the compromised password immediately -- Log in to the affected service and change the password to a new, unique, randomly generated one
Check for unauthorized changes -- Review account settings, recovery email addresses, connected apps, and recent activity for anything you did not do
Revoke active sessions -- Most services let you sign out of all devices. Do this to terminate any sessions the attacker may have open
Change the password everywhere you reused it -- If you used the same password on other accounts, change those too. Each one gets its own unique password
Enable two-factor authentication -- If the account supports 2FA and you have not enabled it, do so now. This adds a second layer that a stolen password alone cannot bypass
Watch for follow-up attacks -- Attackers who compromised one account may use the information they found to target you further through phishing or social engineering

⚠️

Prioritize your email account.

If your email password was compromised, treat it as the highest priority. Your email account is the master key to your digital life -- it receives password reset links for almost every other service you use. An attacker with access to your email can reset and take over all of your other accounts.

Summary

Good password hygiene is not about memorizing complicated strings. It is about using the right tools and habits so that every account is protected by a strong, unique password without relying on your memory.

Passwords are your primary defense -- a single compromised password can cascade into multiple account takeovers
Length beats complexity -- a long passphrase of random words is stronger and easier to remember than a short complex string
Use the Diceware method to generate truly random passphrases when you need to memorize a password
Use a password manager for everything else -- let it generate and store unique passwords for every account
Never reuse passwords -- not even with minor variations. One breach should only compromise one account
Check haveibeenpwned.com regularly to find out if your credentials have appeared in known breaches
Change compromised passwords immediately and revoke active sessions on affected accounts

🎉

Start today, not tomorrow.

You do not need to fix everything at once. Install a password manager today, secure your email account with a strong unique passphrase and two-factor authentication, then gradually work through your other accounts. Every password you update is one fewer vulnerability in your digital life.