In my work as a Lead Support Engineer, I spend a meaningful chunk of every week looking at the same problem from different angles. Patch missing on a server. Endpoint flagged by our EDR. A login attempt from an unusual country at 3 AM. Different tools, different alerts, different platforms — but pull on the thread long enough and most of them lead back to the same place: a password that shouldn’t have worked, working anyway.

This guide is everything I’d want a friend or family member to know about passwords in 2026. It’s not a “10 tips” listicle. It’s the actual map: how we got here, what the threats are, what works, and what to do this week. If you only ever read one article on this site, make it this one.

How we got here: a brief history of bad advice

Almost every confusing thing about password security today is a leftover from a rule that made sense at the time and stopped making sense ten years ago. A quick tour:

The 1990s taught us that passwords should be at least 6-8 characters and contain a mix of uppercase, lowercase, and a digit. This was sensible when computers were slow and breach databases didn’t exist. It also taught entire generations to write Password1 and call it a day.

The 2000s added “must contain a special character” and “must change every 90 days.” The first rule produced Password1! and Spring2007!. The second rule produced Spring2008!, Spring2009!, and so on. By 2010, most “complex” enterprise passwords were variations on the same handful of patterns, easily guessable by automated tools.

The 2010s changed everything by introducing the breach. LinkedIn (2012), Adobe (2013), Yahoo (2013-2014), and dozens of others leaked hundreds of millions of email-password combinations. For the first time, attackers didn’t have to guess your password — they could just look it up. If you reused one password across multiple sites, a breach on a low-importance forum became a master key.

By the late 2010s, NIST — the U.S. agency that defines the password rules the rest of the world tends to follow — published a new guideline (SP 800-63B) that quietly reversed decades of advice. The headlines:

  • Length matters more than complexity.
  • Don’t force users to change passwords on a schedule.
  • Don’t allow passwords that appear in known-breach lists.
  • Stop forcing symbol requirements.

Most of the public, and many IT departments, missed the memo. In 2026, a frustrating amount of password guidance you’ll read online is still based on the 2007 model. That’s the gap this guide is trying to close.

What actually makes a password strong

There’s a measurable quality called entropy — essentially the number of guesses an attacker would need on average to land on your password. Higher entropy = harder to crack. The math is straightforward but two intuitions matter more than the formula:

1. Length is multiplicative; complexity is additive.

Every character you add to a password makes it exponentially harder to guess. Every additional rule (must contain a number, must contain a symbol) only adds a fixed amount of difficulty. After about 12-14 characters, length wins by such a wide margin that adding symbols barely registers.

A concrete example: a 16-character all-lowercase password is mathematically stronger than an 8-character password that uses uppercase, lowercase, digits, and symbols. Far stronger. The “complex” 8-character password can be cracked in hours on a modern gaming GPU. The 16-character lowercase one would take centuries.

2. Predictability collapses entropy.

Password1! has 11 characters and meets every classic complexity rule. It also takes roughly zero seconds to crack, because every password-cracking tool tests common substitutions (a → @, o → 0, i → 1) and predictable suffixes (1!, 2024, 123) before it tries anything genuinely random.

This is why the best-defended passwords aren’t “complicated” in the colloquial sense — they’re unpredictable. A passphrase like purple-monkey-dishwasher-rainbow has higher real-world entropy than X9q$Mz!7 despite looking gentler to a human eye.

For a deeper walkthrough on building a strong password from scratch, see How to Create a Strong Password in 2026.

The attacks you’re actually defending against

Not all attacks are created equal, and you don’t have to defend against all of them. Most personal accounts face four real threats. Here they are, in order of how likely they are to actually hit you.

1. Credential stuffing (the most common, by far)

Attackers download a leaked database from a breach — usually millions of email/password pairs — and try them at scale against other websites. The logic is simple: if your email and password worked at Forum X in 2019, there’s a meaningful chance the same combination still works at your bank, your email provider, or your shopping accounts.

This is the threat that catches most people. Defense: never reuse a password. Once. Ever. A unique password per account makes a credential stuffing attack against you mathematically pointless.

2. Phishing

You’re sent an email that looks like it’s from your bank, you click the link, you type your password into a fake login page. The password’s strength is irrelevant — you handed it over.

Defense: phishing-resistant authentication (passkeys, hardware keys), URL vigilance, and 2FA on every account that supports it. A real attacker who phishes your password but doesn’t have your second factor is stopped.

3. Brute force (much less common than people think)

The “thousand guesses per second” attacks you’ve seen in movies are real, but they almost never target normal personal accounts directly. Online services lock you out after a small number of failed attempts. Brute force matters when an attacker has already stolen a database of hashed passwords and is trying to reverse them offline — at which point we’re back to scenario 1 or scenario 4.

For real numbers on how fast modern hardware can guess passwords, see How Long Does It Really Take to Crack Your Password?

4. Targeted social engineering

A specific human is trying to break into a specific account belonging to a specific person. They research you, they read your social media, they guess your security questions, they call your phone company pretending to be you.

This is rare — but if you’re a journalist, an activist, a public figure, or someone with significant cryptocurrency holdings, you may genuinely be a target. The defenses are different here: hardware security keys, account-recovery hardening, separating identities, and treating “security questions” as a second password rather than honest answers.

For most readers, threats 1 and 2 are 95% of what matters. Get those right and you’ve solved the realistic problem.

The five pillars of personal password security

If you do nothing else, do these five things. In rough order of impact.

Pillar 1: Use a password manager. Non-negotiable in 2026.

This is the single most impactful change anyone can make. A password manager generates a unique, random, long password for every account, stores them all encrypted behind one master password (or biometric), and types them in for you. You stop having to remember anything except your master password.

The objections people raise — “but it’s a single point of failure,” “what if I lose my master password,” “isn’t it risky to put all your passwords in one place” — all have answers. The short version: a well-designed password manager (Bitwarden, 1Password, Proton Pass, KeePass) is dramatically safer than the alternative, which is some combination of password reuse, sticky notes, and the same six passwords rotated across hundreds of sites.

For a comparison of the major options — features, architecture, pricing — see Best Password Managers 2026.

Pillar 2: A unique password for every account. Yes, every one.

Once you have a password manager, this becomes trivial — let it generate a 20-character random password for every account you create. Once you have a few hundred random passwords in your vault, a credential stuffing attack against any one of them is harmless to the others.

The only password you have to remember is your master password. Make it a long passphrase (Pillar 3).

Pillar 3: For passwords you must remember, use passphrases.

Some passwords still need to live in your head: your password manager’s master password, the PIN to your laptop, maybe your email account if you want a true offline backup. These need to be both strong (high entropy) and memorable (you’ll never lose it).

The answer is the passphrase: four to six unrelated words strung together. velvet-coffee-sunrise-mountain-pebble is far stronger than any short complex password and a normal human can actually remember it after a couple days of use. Generate the words randomly — don’t pick “memorable” words from a song or a name, because those reduce entropy.

How to actually generate one (the boring but correct way):

The classic method is called Diceware. You roll five dice, look up the result in a published wordlist, and that gives you one word. Repeat five or six times. The randomness has to come from outside your head — your brain is terrible at being random, and any word you pick is more guessable than you think.

Three practical approaches, in order of how secure they are:

  1. Use a password manager’s built-in passphrase generator. Bitwarden, 1Password, and most others can generate Diceware-style passphrases at the click of a button. Set length to 5-6 words, pick a separator (hyphen is fine).
  2. Use the EFF’s published wordlist with real dice. The Electronic Frontier Foundation maintains a public wordlist (search “EFF Diceware wordlist”) that’s been specifically curated for memorability. Roll five physical dice, read off the matching word, repeat. Old-school but provably random.
  3. Use our passphrase generator on this site. Same principle, but in your browser — nothing is transmitted.

A few rules of thumb: avoid any word that means something specific to you (your dog’s name, your street, your favorite band), don’t capitalize the first letter of each word in a predictable way, and don’t substitute letters for numbers — those tricks reduce entropy without adding meaningful security. The strength comes from length and randomness, not from looking complicated.

Pillar 4: Enable 2FA on every account that supports it.

Two-factor authentication adds a second check beyond your password — typically a code from an app like Authy, Google Authenticator, or Microsoft Authenticator. Even if your password leaks, an attacker without your second factor can’t get in.

Pick the right kind of 2FA, in this order of preference:

  1. Hardware security key (YubiKey, Google Titan) — strongest, phishing-resistant
  2. Authenticator app with TOTP codes (Authy, Aegis, Google Authenticator) — strong, easy
  3. Push notification from the service’s own app (e.g., Microsoft Authenticator) — strong, easy
  4. SMS codes — better than nothing, but vulnerable to SIM-swap attacks; avoid for important accounts

SMS 2FA on your email and bank is widely deployed but increasingly inadequate. If those services offer app-based 2FA, switch.

A note on hardware security keys.

If you’ve made it this far in the guide and you’re thinking “I want the strongest setup possible,” the answer is a hardware security key. These are small USB or NFC devices — the most common brands are YubiKey, Google Titan, and Thetis — that act as a physical second factor. When a service asks you to authenticate, you plug in the key or tap it to your phone, touch the button, and you’re done. There’s nothing to copy, nothing to phish, and no battery to die.

What makes hardware keys uniquely strong is that they’re phishing-resistant. A normal TOTP code can be re-typed into a fake login page by an attacker who tricked you. A hardware key cryptographically verifies the actual website you’re talking to — if the URL is wrong, the key simply refuses to authenticate. That’s a property no other consumer 2FA method has.

Practical recommendation: buy two identical keys (one to use, one as backup in a drawer or safe at home). A YubiKey 5 NFC or a Google Titan key costs around €50-60 each. Register both on the accounts that matter most to you — typically your primary email, your password manager itself, and your Microsoft and Google accounts. Those four control the rest of your digital life. If you lose your daily-carry key, the backup gets you back in.

For most people, hardware keys are overkill. For anyone who works in IT, manages other people’s accounts, holds significant cryptocurrency, or has reason to think they might be specifically targeted — they’re a genuine step-change in security for under a hundred euros.

Pillar 5: Plan for the day you lose access.

Every account-recovery system is a potential bypass for your own security. If your “recovery email” or “security questions” are weaker than your password, attackers know to target those instead.

Three things to do today:

  • For each important account, check what the recovery options are. Are they good enough?
  • Store your password manager’s emergency recovery kit somewhere safe but accessible (a fireproof safe, a sealed envelope at a relative’s house, encrypted on a backup drive — not in your inbox).
  • For your most critical accounts (primary email, password manager, financial), enable 2FA and save the recovery codes somewhere offline.

The single most underrated piece of advice in personal security: spend 30 minutes thinking about how you’d recover if your phone was stolen tomorrow. That mental exercise will surface every weak link in your setup.

Beyond passwords: the rise of passkeys

You’re going to hear more about passkeys over the next year or two. Here’s the short version.

A passkey is a cryptographic credential stored on your device (phone, laptop, hardware key) that replaces the password entirely. When you log in, the website challenges your device; your device proves it has the key without ever transmitting anything an attacker could steal. There’s nothing to phish, nothing to leak in a breach, and nothing to remember.

Major platforms — Apple, Google, Microsoft — now support passkeys, and the list of websites that accept them is growing fast. As of 2026, you can sign into Google, GitHub, Amazon, PayPal, Microsoft, and many others with a passkey. For most major accounts, it’s already a viable replacement.

Practical advice for 2026:

  • When a site offers a passkey, enable it. It’s almost always more secure than your password + 2FA combination.
  • Don’t delete your password — keep it as a backup. Passkey ecosystems are still maturing, and you may need the fallback.
  • Your password manager (Bitwarden, 1Password, etc.) almost certainly stores passkeys too. Use it as your passkey vault as well as your password vault — that way they travel with you between devices.

Passkeys are not yet a complete replacement. Some sites still don’t support them, recovery flows are still being figured out, and edge cases (shared family accounts, work accounts with enterprise policies) get messy. But they’re the direction the industry is moving, and adopting them early on the sites you actually use is a quiet, easy security win.

What I see go wrong in real IT work

This is the part where I’m allowed to talk about what actually shows up in tickets, alerts, and post-incident reviews — without naming any specific organization or person, of course.

Five patterns come up over and over:

Pattern 1: Passwords stored in a .txt file or Excel sheet on the desktop. By far the most common thing I see. A file named passwords.txt, a Wachtwoorden.xlsx on the desktop, a note in OneNote, a sticky-note app — all of them in plain text, all of them readable to anyone who sits down at the machine, gets remote access, or hits the machine with ransomware. People do this not because they don’t care, but because nobody ever showed them an alternative that’s easier than a text file. The fix is the same one this whole guide keeps coming back to: install a password manager. Moving the contents of passwords.txt into it takes an afternoon. Then delete the file (and empty the recycle bin, and overwrite the free disk space if you’re being thorough).

Pattern 2: The “one strong password” used everywhere. People proudly tell me they use a 16-character password with symbols, uppercase, the works. Then it turns out it’s the same 16 characters on every site they’ve registered with since 2017. One breach in 2019 made that password worthless, and they had no idea.

Pattern 3: Personal info as the “secret.” Pet names, birth years, kids’ initials, the street they grew up on. All of it is on someone’s Facebook or LinkedIn within five minutes of looking. The same information shows up as both the password and the answer to the security questions, which means an attacker who finds one knows the other.

Pattern 4: 2FA enabled, but on the same device as the password manager. A surprising number of people store their 2FA codes inside the same password manager that holds their passwords, all on the same phone. If the phone is stolen and the master password leaks, both factors fall in one go. Splitting the 2FA codes to a different app (or a hardware key, or a backup device) restores the “two” in two-factor.

Pattern 5: No recovery plan. People set everything up perfectly, then never think about what happens if their phone breaks. When the phone dies, they realize their authenticator app didn’t sync, their backup codes are saved in their email (which requires the authenticator app to log in), and they’re locked out of their own life. The fix is boring: save recovery codes offline, and test your recovery path once a year.

For a longer breakdown of the most common preventable mistakes, see The 10 Biggest Password Mistakes Hackers Love to Exploit.

What to do this week — a 30-minute plan

Skip the rest if you only want the action items.

Today (10 minutes):

  1. Pick a password manager and install it. If you have no preference: Bitwarden (free, open source) or 1Password (paid, very polished) are both excellent. Don’t agonize — picking any of the major ones is better than not picking one.
  2. Set a strong master password. Use a passphrase: four to six unrelated words, lowercase, separated by hyphens. Write it down once on paper, then never again.
  3. Enable 2FA on your password manager itself.

This weekend (20 minutes):

  1. Open your primary email account (the one tied to all your password resets). This is the most important account you own. Generate a new long password using the manager, change your email password to it, enable 2FA if you haven’t already, and save the recovery codes offline.
  2. Do the same for your bank, your phone carrier login, and your password manager itself. Four accounts, ten minutes each. These four control everything else.
  3. From now on: any new account you create gets a unique generated password. Don’t try to migrate all your old passwords at once — that way lies giving up. Just fix the next account you log into, then the next, until eventually the bad ones are gone.

That’s it. The above setup alone puts you ahead of probably 95% of internet users in 2026.

For an honest look at why people stick with terrible passwords despite years of warnings — and how to actually break out of it — see Why “123456” Is Still #1 in 2026.

Closing

If you’ve read this far, you already care more about your digital security than most people. The remaining work is small and concrete: install a password manager, sort out your four most important accounts, and let the rest follow.

If you want to put what you’ve read into practice without leaving the site:

  • Test a current password against our strength tester — all analysis happens in your browser, nothing leaves your device.
  • Generate a new strong password with the generator.
  • Read the longer-form Security Guide for more depth on attacks and standards.

And if you find an error in this article, or want to suggest something I’ve missed — please email me. I’d much rather correct it than pretend it isn’t there.

— Carlo van Leeuwen, Lead Support Engineer PassGuard Check