We checked our own company email on Have I Been Pwned while writing this article. Eleven data breaches. The oldest dating back to 2013, the most recent from 2024. Passwords, email addresses, names, and in some cases phone numbers, all sitting in hacker databases for years without us knowing.
We are sharing that because if it happened to a site that writes about online security for a living, it has almost certainly happened to you. Check your own email at Have I Been Pwned before reading the rest of this. The number you see will make everything below feel more urgent.
The uncomfortable truth is that most people already know the basics: use a long password, do not reuse it, turn on two-factor authentication. Almost nobody follows all of it consistently. This article is about why that gap exists, what advice most guides skip, and what we actually do ourselves.
What Actually Makes a Password Strong (and What Stopped Working Years Ago)
The standard advice about adding a capital letter, throwing in a symbol, or swapping an O for a 0 was outdated before most people heard it. Cracking tools come pre-loaded with every common substitution pattern. “P@ssw0rd” is cracked almost as fast as “Password.” The things that genuinely affect password strength work very differently from how most guides explain them.
Length
Length is the most important variable, and the numbers are more dramatic than most people realise. A 12-character password can be cracked in under a minute with modern GPU hardware. The same structure at 16 characters jumps to several years. At 20 characters, we are talking about timeframes that outlast most recorded history.
This is not about complexity. It is pure mathematics. Each additional character multiplies the total number of possible combinations. Use at least 16 characters for everyday accounts and 20 or more for email, banking, and your password manager. If a site refuses to accept passwords longer than 12 characters, that is a signal of poor security architecture on their end, and your data is at higher risk there regardless of what you choose.
Uniqueness
Most people who get hacked are not targeted by sophisticated attacks. They are caught by credential stuffing: an automated process where hackers take a leaked username and password from one breach and try it across hundreds of other sites automatically. Researchers also reported that more than 3,214 websites were infected with malicious code every single day in 2024, highlighting how widespread automated cyber threats have become.
When our email showed up in 11 breaches, that means 11 different credential sets were potentially tested against every service we use. One reused password across those breaches means every account sharing it was exposed.
Complexity
Genuine complexity comes from randomness, not character substitution. Cracking tools include l33tspeak variations, the most common passwords or keyboard sequences like “qwerty” and “123456,” words in dozens of languages, and patterns like adding “123” or “!” to the end of a word. What actually resists cracking is true randomness: combinations with no pattern, no personal connection, and no predictable structure. Avoid anything tied to your identity. Pet names, birthdays, your favourite team, the street you grew up on. These feel secure because they are meaningful to you, and a determined attacker who knows your name can generate a targeted wordlist from your public social media in minutes.
Why People Do Not Follow Password Advice (and the Method That Actually Fixes It)
Here is what most security guides skip entirely. The reason people reuse passwords and ignore good advice is not ignorance. It is friction. Remembering a unique, complex password for every account is genuinely impossible without a system. So people make a quiet mental compromise: a strong-ish password reused everywhere feels better than forgetting a unique one and getting locked out at the worst possible moment. This is rational behaviour given the constraints. The fix is not more willpower. It is removing the constraint with the right tools.
For the small number of passwords you genuinely need to remember from memory, your email login and your password manager master password, the passphrase method is how most security professionals actually handle it. Instead of a random character string, you chain four or more completely unrelated words into one long phrase.
We ran “coffee-bridge-umbrella-cactus” through a password strength checker while writing this.
Thirty characters. Easy to type. Impossible to brute force in any practical timeframe. Compare that to “MichaelJordan23”: 15 characters that falls almost instantly because the words are related and the number lands exactly where a cracking tool expects it.
Building a good passphrase comes down to a few things. First, use a generator rather than your own brain. Most people are worse at picking random words than they think. We default to things we know, things we have seen recently, things that feel unconnected but share context in our heads. A password manager’s built-in passphrase generator produces combinations a human brain would never naturally land on, and that randomness is the entire point. Second, handle site requirements without weakening the phrase. Capitalising the first word and adding a number at the end, “Coffee-bridge-umbrella-cactus4,” satisfies most requirements. Misspelling one word intentionally also works. Third, build a mental image to aid recall. Picture the words as an absurd scene: a coffee cup balanced on a bridge while an umbrella shields a cactus from rain. The more specific and bizarre the image, the better it sticks. Memory competitors use this exact technique to memorise entire decks of cards. Finally, use a different passphrase for every account you need to remember manually. Everything else should live in a password manager.
Password Managers: The One We Use and Why
Neutral advice about password managers being “useful” does not actually help anyone make a decision. Here is a more direct take: if you are not using one, you are almost certainly reusing passwords, and reuse is the most common way accounts get compromised. Not hacking. Not phishing. Reuse.
We use RoboForm for most accounts. It has been around since 1999, offers a solid free tier, and has been independently audited by Secfault Security with the results made available publicly. It is one of the more established names in the space with a track record most newer entrants cannot match. That stability matters because even major password managers like LastPass have suffered 7 documented breaches since 2011, pushing many users to pay closer attention to long-term security history when choosing a provider.
Worth knowing: the free plan covers one device only, so if you switch between a phone and laptop you will need the paid plan. If you want something with a slightly more modern interface, NordPass is a reasonable alternative with a clean security record. What we would avoid is saving passwords in your browser. It feels convenient because it is built in, but browser-stored passwords offer minimal protection if your device is compromised or your browser account is breached.
The master password for your vault is worth building as a passphrase and memorising properly. It is the only credential that lives in your head. Everything else can be a randomly generated 20-character string you never need to see.
MFA: The Type You Use Matters as Much as Whether You Use It
Multi-factor authentication gets treated as a single thing in most guides. It is not, and the gap between the weakest and strongest forms is large enough to change your actual risk level.
SMS codes are what most sites offer by default and the weakest option on the list. SIM swapping, where an attacker convinces your mobile carrier to transfer your number to a device they control, can intercept SMS codes in minutes. This is not a theoretical attack. It has been used against crypto wallets, email accounts, and financial services with documented losses. SMS MFA is better than no MFA, but treat it as a last resort rather than a target.
Authenticator apps such as Google Authenticator, Authy, or the one built into most password managers generate time-based codes locally on your device. Nothing is transmitted over a network, so there is nothing to intercept. This should be the default choice for any account that offers it.
Hardware security keys, such as a YubiKey, are the option we assumed were overkill until we actually set one up. It took about ten minutes and has not caused a single login problem since. The key verifies the actual domain of the site you are logging into, which means it will not authenticate on a fake login page the way an authenticator code would. For email and password manager accounts specifically, it is now our preferred method and something worth considering for anyone who handles sensitive data regularly.
The practical setup is straightforward. Enable authenticator app MFA on every account that offers it, fall back to SMS only where nothing better is available, and enable MFA on your password manager itself. Your vault is only as secure as the login protecting it.
Passkeys: Genuinely Better, but Messier Than Most Coverage Admits
Passkeys are a real improvement over passwords from a security standpoint. A cryptographic credential stored on your device, verified by your fingerprint or face, tied to a specific site so it cannot be reused on a fake login page. There is no password sitting on a server to steal. The underlying technology is sound.
The honest picture of where passkeys actually are in 2026 is more complicated than most articles let on. We set up passkeys on our Google and Apple accounts without problems. On a third service, we hit a bug that required a full password reset to resolve. The technology works, but implementation quality varies significantly across sites.
Apple passkeys sync through iCloud, which means losing access to your Apple account can affect passkeys stored there. Android handles syncing through Google Password Manager, which does not always work cleanly if you move between device ecosystems. Many sites that technically support passkeys still require a password as a fallback, which limits the security gain.
Our recommendation is to enable passkeys on major accounts that support them well, particularly Google and Apple ID, while keeping your password manager and authenticator app running in parallel. Passkeys have not replaced the need for strong passwords across most accounts yet, and assuming otherwise leaves gaps.
