Most passwords are compromised through one of three methods: credential stuffing (using leaked username/password pairs from one breach to try logging into other sites), brute force attacks (systematically trying every combination), and phishing (tricking you into entering your password on a fake site).
The most common password in the world is still "123456." The second most common is "password." If your password appears on any list of common passwords, it can be cracked in under one second โ no matter how clever you think it is.
Length is more important than complexity. A 16-character password using only lowercase letters is harder to crack than an 8-character password with uppercase, lowercase, numbers, and symbols. Each additional character multiplies the number of possible combinations exponentially.
Use the password generator to create passwords of any length with your preferred character mix. For most accounts, 16+ characters with mixed character types is effectively uncrackable with current technology.
A passphrase is a sequence of random words strung together, like "correct-horse-battery-staple." It is both longer (making it harder to crack) and easier to remember than a random string of characters. The password generator includes a passphrase mode for exactly this purpose.
A 4-word passphrase from a dictionary of 7,776 words (like the Diceware list) has about the same entropy as a 10-character random password โ but is far more memorable. A 6-word passphrase is essentially uncrackable.
The only way to use a unique, strong password for every account is to use a password manager. It generates random passwords, stores them encrypted, and auto-fills them when you log in. You only need to remember one master password โ the one that unlocks the manager.
A password manager transforms the security problem from "remember 200 unique passwords" to "remember 1 strong master password." That is a solvable problem.
Even the strongest password is useless if it gets phished or leaked in a breach. Two-factor authentication adds a second verification step โ something you have (your phone) in addition to something you know (your password).
Use an authenticator app (Google Authenticator, Authy, or a hardware key like YubiKey) rather than SMS-based 2FA. SMS can be intercepted through SIM swapping. An authenticator app generates codes locally on your device and cannot be intercepted.
Enable 2FA on every account that offers it โ especially email, banking, and social media. Your email is the master key to all your other accounts (via password reset), so it should have the strongest protection.