Password Best Practices: Create and Manage Secure Passwords

Passwords are the most widely exploited point of failure in personal and organisational security. Most people know their password habits are imperfect. Fewer understand exactly why those habits fail — or what "good" looks like in practice. This guide covers what matters, why it matters, and what to do about it.

Why password reuse is the biggest risk

Data breaches happen constantly. Major services — LinkedIn, Adobe, Dropbox, Yahoo — have leaked hundreds of millions of credentials over the past decade. When a breach occurs, the stolen username/password combinations are tested automatically against every major platform. If you use the same password on your email as you did on a breached forum from 2018, your email account is at risk right now.

This is called credential stuffing, and it is the single most common cause of account compromise. The defence is simple: every account gets a unique password. If one service is breached, the damage is contained to that service only.

What makes a strong password

Password strength is primarily a function of length and randomness. Complexity rules (requiring capitals, numbers, and symbols) are less important than raw length — and often lead to predictable patterns (Password1! is technically complex and practically useless).

• Length: At least 16 characters for standard accounts; 20+ for critical accounts (email, banking, password manager master password).
• Randomness: Generated by software, not chosen by a human. Human-chosen passwords follow predictable patterns that significantly reduce the effective search space.
• No personal information: Names, birthdays, pet names, and addresses appear in wordlists that attackers use to speed up password cracking.
• No famous examples: Any password published as a "good" example — including "correcthorsebatterystaple" — should be treated as compromised. It has been widely shared, and shared passwords end up in attacker wordlists. Use words you select randomly yourself, not examples from any guide.

Passphrases for passwords you need to remember

For passwords you must memorise — your password manager master password, full-disk encryption passphrase, and possibly your email password — a diceware passphrase is the best approach. This involves physically rolling dice to select words from a numbered wordlist, producing something like "marble-fixed-tiger-echo-carve." Six or more words gives you a passphrase that is both memorable and resistant to brute force.

The key is genuine randomness in word selection — not words you chose because they're memorable. A physically rolled-dice selection process produces verified randomness in a way that mental word selection does not.

Use a password manager

A password manager generates, stores, and fills a unique random password for every account. You remember one strong master password; the manager handles the rest. Without a password manager, using unique passwords for every account is practically impossible — most people have dozens to hundreds of accounts.

Well-regarded options:

• Bitwarden — open source, independently audited, free tier is genuinely sufficient for most users. Self-hosted option available.
• 1Password — polished interface, strong security track record, good team sharing features. Paid only.
• KeePassXC — fully offline, no cloud component, stores the database file locally. Maximum control, requires more setup.

Avoid storing passwords in browser-based password managers without a master password. Chrome and Edge offer to save passwords, but these are not properly isolated if someone gains access to your browser profile.

Two-factor authentication

Even a strong, unique password can be stolen — through phishing, malware, or a breach of the service itself. Two-factor authentication (2FA) requires a second proof of identity to log in, so that a stolen password alone is insufficient.

• Hardware security keys (FIDO2/WebAuthn) — the strongest option. Devices like YubiKey work by cryptographically verifying the domain you're logging into, making them immune to phishing even on convincing fake sites. Use for critical accounts where supported.
• Authenticator apps — generate time-based codes (TOTP) that change every 30 seconds. Aegis (Android), Raivo (iOS), or Bitwarden's built-in authenticator. Significantly better than SMS.
• SMS codes — vulnerable to SIM-swap attacks but better than no 2FA. Use where it's the only option while pursuing better alternatives.

Enable 2FA on at minimum: your email account, your password manager, your banking and financial accounts, and any account linked to your phone number or payment method.

Password hygiene in practice

• Change passwords after any breach involving that service. Check haveibeenpwned.com to see which of your accounts have appeared in known breaches.
• Do not share passwords. If access needs to be shared, use the sharing features of a team password manager rather than transmitting the password itself.
• Do not send passwords via email, SMS, or messaging apps unless the channel is end-to-end encrypted and you can verify the recipient's identity.
• Do not enter your password on untrusted devices. Keyloggers on shared or compromised computers capture credentials regardless of password strength.
• Your master password is different. The password manager master password should never be stored anywhere — not written down, not in another password manager, not emailed to yourself. Memorise it using a diceware passphrase and test it regularly.

Passkeys: the future of authentication

Passkeys are a newer authentication standard that replaces passwords entirely for supported services. Based on FIDO2/WebAuthn, a passkey is a cryptographic key pair: the private key stays on your device (or in your password manager), and the public key is registered with the service. Login is completed by biometric verification on your device — Face ID, Touch ID, fingerprint, or PIN — rather than typing a password.

Passkeys are phishing-resistant by design (the private key never leaves your device and is bound to the specific domain), immune to password database breaches (there is no password to steal), and resistant to credential stuffing. Major services — Apple, Google, Microsoft, GitHub, PayPal, 1Password, and many others — now support passkeys.

If a service you use offers passkeys, setting one up takes two minutes and eliminates the password risk entirely for that account. Bitwarden and 1Password both support passkey storage, so they are synced across your devices just like passwords. If your password manager does not yet support passkeys, your device's built-in keychain (Apple Keychain, Google Password Manager) stores them adequately for most purposes.

Passkeys do not replace password managers today — the majority of services still use passwords, and you will need a manager for those. But for the accounts that support passkeys, enable them. They represent a meaningfully stronger authentication model.

What to do today

If you do nothing else, do this: sign up for Bitwarden, generate new unique passwords for your email, banking, and most-used accounts, and enable 2FA on your email. These three steps address the most common attack paths affecting most people. The rest — auditing all accounts, moving to hardware keys or passkeys for critical services — can follow gradually.

See also: Phishing and Scams for how stolen passwords are used, and Cybersecurity Risks for a broader overview. For the strongest mobile 2FA experience — hardware-backed key storage, Aegis authenticator, and sandboxed apps — the Norypt Pixel Secure running GrapheneOS is built for exactly this.