Revisions
April 1, 2026: Polished for clarity.
August 19, 2025: Added details about insecure browser extensions.
Everyone hates memorizing passwords. We want logins to be easy and seamless. Nobody wants to go through the hassle of setting a complex password just to forget it next time, wasting time with yet another password reset. It doesn’t have to be difficult.
You’ve been taught the wrong advice.
In the past, it was widely accepted advice that a very short password can be highly secure if you just add special characters. A password like “J0hn4th4n” would supposedly be more secure than a simple, longer password like “AppleEnglishGrandmaStatue.” Now we know that’s not the case anymore. The first password could be cracked in less than one second, and the latter would take multiple years. A short, complex password is less secure than a much longer, simpler password that uses known dictionary words and is still easy to remember. Even better if you throw in numbers and special characters just like the short one. But the crux of this post isn’t to convince you to just use longer and more complicated passwords.
A quick lesson on data breaches.
If you’ve been online for a while, chances are that you’ve seen news about a multitude of data breaches across the years. Maybe you’ve even been a victim of one. It doesn’t matter if it’s a small site or a multi-billion-dollar company. Any organization can be at risk of getting hacked at any second. Once the perpetrators make their way into those systems, they dump and extract all the sensitive data they can get their hands on. Hackers often end up with personal information like names, addresses, and login credentials (email, username, and password). Depending on the site, other data can be stolen too. For retailers, your payment data can be at risk. For healthcare sites, your medical data can be as well.
Here’s the scary part. If you’ve used the same password on any other sites, consider those accounts also compromised. What’s even worse? Imagine you used a breached password for your email. Hackers will be able to request a password reset on any site where you have an account. They’ll get the password reset emails right there in your inbox. They could easily gain access to your bank, brokerage, credit cards, or other financial data. Or they can use your information to log into sites like Amazon to go on a shopping spree. Sometimes they’ll sell access to stolen accounts to others, like gaming accounts that have lots of games or money in the virtual wallet.
Excuses.
“But I’m not a target.” I’ve heard this line so many times that I’ve lost count. And so many of the same people end up coming to me for advice after they’ve become a victim. Hackers are not out there targeting specific people for the most part. You do not need to be special or high-net-worth to be at risk of getting hacked. They will often have bots run through combo lists in an attempt to crack as many accounts as possible.
“I have nothing of value to steal.” Same with this. It’s the second most common line I’ve heard when I advocate for people to improve their security practices. These people think that they won’t face any repercussions if they are hacked since there is nothing of value to take. They ignore it when others actually break into their accounts. It’s only a matter of time until one of the accounts they care about ends up getting changed, banned, or deleted. Hackers sometimes sit on stolen accounts without your knowledge until something interesting comes up, too. Victims end up wasting a huge amount of time recovering accounts (sometimes unsuccessfully) or even facing ransom demands to get their accounts back.
“I already have two-factor authentication on my important stuff.” Two-factor authentication is exactly that. It’s just the second factor. You cannot rely on a weak password or a breached password to secure your important accounts just because you have 2FA enabled. There are many cases where two-factor authentication has been bypassed. The first and primary defense is always the most important.
The art of cracking passwords.
User-created passwords are usually not random. A typical user will use something memorable or significant to them, like a pet’s name or a birthday. For example, “charlie2012” would be something a normal person would set as a password. Let’s say a site requires you to use both lowercase and uppercase characters. Most people would just capitalize the “C” to make the password “Charlie2012” instead. And let’s say a site also requires you to use at least one special character. Psychologically, most people tend to just add an exclamation point at the end, like “Charlie2012!” or replace one of the characters with a special character that looks visually similar, like “Ch@rlie2012.”
Password cracking has evolved throughout the years. It’s not just plain brute-forcing anymore. Hackers know that users typically start their alphabetical characters at the beginning of a password, followed by numbers. They know that many people add their special character(s) at the end of a password, whether it’s an exclamation point or dollar sign or anything else. They know people also tend to simply replace regular alphabetical characters with a special character, like using an exclamation point in place of an “i.”
They know all the common tricks and can tune cracking scripts to try all the possible variations. Or they have the option of speeding things up by skipping unlikely passwords that don’t match a known pattern. You’re not slick by changing your password from “mypassword1” to “Mypassword1@” just because the former was in a breach. As computers continue getting more powerful and cracking algorithms continue advancing, average human behavior remains remarkably predictable.
Using a password manager.
Use a password manager. You’ve heard this advice all across the web, over and over. I think most people are put off by the idea of a password manager since they think that it’ll be something difficult to use. A password manager syncs all your data online so you have it anywhere, whether you’re on your computer or on your phone. Browser extensions, mobile apps, and desktop software are widely available for most well-known password managers. And they virtually all have autofill functionality, so you won’t have to manually copy and paste your credentials each time you hit a login page. Password manager apps on your phone even integrate right into your keyboard.
The other common pushback against a password manager is the hassle of adding passwords across every site that you use. Starting to use a password manager doesn’t mean you need to instantly set it up for every single site. It can be a gradual thing, starting with the most important accounts first. Add sites like your email and bank, and slowly add other sites as you use them. For example, the next time you visit Facebook, make sure to add your account into the password manager if it’s not already there.
A password manager is useless if you don’t change your old passwords. When adding an existing account to your password manager, make sure you change the password to a secure one. You can use the password generator feature built right into your password manager. It will create a long string of random characters, including uppercase letters, lowercase letters, numbers, and special characters. There is no specific pattern or sequence that would make it easily guessable based on common human behavior. I would recommend that you generate a password with at least sixteen characters to increase the cracking difficulty.
I personally recommend BitWarden as my password manager of choice. It’s completely free, with an optional $10/year paid subscription if you need additional features like hardware security key support or access to the built-in 2FA authenticator. That’s effectively less than $1/month for a premium password manager. It’s open source as well, which means all the code is public. Anyone, including security professionals and researchers, can freely audit the software for bugs or vulnerabilities.
Common questions.
“Wouldn’t a password manager be the same as placing all my eggs in one basket?” Well, yes and no. It’s true that you’re relying on a password manager to store all your passwords in one centralized location. If someone is able to figure out your master password, they’ll essentially have access to all the passwords you’ve stored. But if it’s locked behind a very strong master password, then your underlying passwords are secure. It’s critical to use a master password that you’ve never, ever previously used anywhere else. Don’t even consider reusing a password from another site, even one that hasn’t been breached yet. It’s important that you also enable 2FA on your password manager to further strengthen its security.
“What if the password manager gets hacked?” If you’re using a good password manager, this is a non-issue. Good password managers utilize very strong, modern encryption standards. If there is a breach and hackers steal all the data, everything remains securely encrypted. Your data remains a jumbled mess that cannot be deciphered without your master password. Your master password is essentially like the private key that protects your information. Not even the password manager company can access the contents. This doesn’t mean you should keep using the same passwords. You have a long window of time available to change your master password and all your underlying passwords.
“What if the web vault goes offline?” Password managers usually store a cached copy of your most recent passwords directly on your device. For example, if you’re using the browser extension or mobile app, you’ll have access to all your most recently synced data available for offline use. This is convenient when the primary password manager site is down for maintenance or you’re in an area with spotty cellular data service.
Additional considerations.
A password manager is not an excuse for you to lapse in other areas of internet security. Although a password manager is an extremely useful tool to generate long, unique passwords for every single site, it is not secure if you aren’t. Password manager companies are resistant to attacks, but it doesn’t mean you also are. If you often browse shady sites or download questionable files, you may find your device infected with malware. Malware can record all your keystrokes to steal your master password or even directly read all the contents of your vault. When is the last time you checked which browser extensions you have installed? Do you fully trust the developers? Most extensions can read and edit all your browser data, and many have turned malicious after securing a large enough user base. Make sure you take security seriously to avoid becoming a victim.
Some sites use multiple different URLs. For example, Hulu, Disney Plus, and ESPN Plus all use the same account credentials regardless of which site you choose to log into. If you first logged into Hulu and added that account to your password manager, you may not see an account available to autofill when visiting Disney Plus or ESPN Plus. That’s because you need to manually add the domains that the account covers, so it can correctly match all the sites it applies to. The same applies to websites that lead you to an interstitial page on a different domain to log in, before redirecting you back to the main site.
Other takeover tactics.
There are other account takeover tactics aside from the ones I’ve mentioned. One example is using security question answers from sites that have been breached. How often do you choose the same exact security questions when creating an account on different websites? Your mother’s maiden name doesn’t change. Neither does your first pet’s name. Or your place of birth. Or your high school mascot. When sites get breached, security questions and answers are also part of that. Hackers can use the same security questions and answers to fraudulently “recover” accounts on sites where you also used the same info. This can completely bypass sending an account recovery or password reset email. It’s a good idea to use fake security question answers and record them in your password manager.
“SIM swapping” has been in the news over the past decade. This is a tactic in which hackers gain access to insiders or pose as you to obtain a copy of your SIM card. They may have a partner working as a customer support agent at a cell carrier who can process a duplicate SIM. Or they have partners who go into physical stores with a fake ID to impersonate you and obtain the replacement SIM. This means they’ll silently gain access to all your incoming SMS messages, like 2FA codes. Those codes can then be used to break into your accounts. All the major carriers have optional features available to significantly reduce the possibility of a SIM swap. AT&T has Wireless Account Lock, Verizon has SIM Protection, and T-Mobile’s is also called SIM Protection.
Of course, there are other kinds of attacks that are in use. It can even be as simple as social engineering a customer support rep. You can never be too careful as threats are ever-evolving. Stay safe.
Leave a Reply