A Practical Guide to Password Security: Stop Making These Common Mistakes

Why Passwords Still Matter

Despite years of warnings and high-profile breaches, password-related vulnerabilities remain one of the most common entry points for attackers. Credential stuffing attacks — where leaked username/password pairs from one breach are tested against other services — compromise millions of accounts each year. The problem isn't that passwords are inherently broken; it's that most people manage them poorly.

The Mistakes That Get People Compromised

Reusing Passwords Across Sites

This is the single most dangerous habit. When a website you use suffers a data breach (and it's a matter of when, not if), attackers get your password for that site. If you've reused it elsewhere, every account sharing that password is now at risk. Credential stuffing tools automate this attack at massive scale.

Using Predictable Patterns

Passwords like Company2024! or Summer@Home1 feel complex but follow patterns that attackers model explicitly. Dictionary attacks include common substitutions (@ for a, 3 for e), appended years, and capitalised first letters.

Relying on "Security Questions"

Mother's maiden name, first pet, childhood street — this information is often findable through social media or data brokers. Treat security question answers as passwords: use random, fictitious answers and store them securely.

What Good Password Hygiene Actually Looks Like

Use a Password Manager

This is the single most impactful change you can make. A password manager (Bitwarden, 1Password, Dashlane) generates and stores unique, long, random passwords for every site. You only need to remember one strong master password. Most integrate directly with browsers and mobile apps to autofill credentials seamlessly.

Bitwarden is open-source and free for personal use — there's genuinely no excuse not to use one.

What Makes a Strong Master Password?

For your password manager's master password (and any other password you must memorise), use a passphrase: four or more random, unrelated words strung together. Something like correct-horse-battery-staple (now famous from XKCD) is both memorable and far more resistant to brute force than a short complex password. Length beats complexity.

Enable Multi-Factor Authentication (MFA)

MFA adds a second layer — even if an attacker has your password, they can't log in without the second factor. Use it everywhere it's available, prioritised as follows:

1. Hardware security keys (YubiKey) — most secure, phishing-resistant
2. Authenticator apps (Google Authenticator, Authy) — very good
3. SMS codes — better than nothing, but vulnerable to SIM-swapping attacks

Dealing with Breaches

• Check haveibeenpwned.com to see if your email has appeared in known data breaches.
• If a service you use is breached, change that password immediately — and any other accounts where you reused it.
• Most password managers now include breach monitoring that alerts you automatically.

A Quick Action Checklist

• ☐ Install and start using a password manager today
• ☐ Enable MFA on your email account (highest priority)
• ☐ Enable MFA on financial accounts
• ☐ Change any reused passwords to unique ones
• ☐ Check haveibeenpwned.com for your email addresses
• ☐ Replace security question answers with random strings stored in your password manager

Good password security doesn't require being a security expert. It requires two things: a password manager and MFA on critical accounts. Start there, and you'll be meaningfully more secure than the vast majority of internet users.