🟢 Beginner Summary

The two rules that matter most: (1) Make passwords long — 16+ characters. (2) Never reuse a password across sites. A password manager makes both of these effortless. Here's everything you need to know.

Table of Contents

  1. What actually makes a password strong
  2. The passphrase method
  3. Why you need a password manager
  4. The best password managers in 2026
  5. Setting up your password manager
  6. Common password mistakes to avoid
  7. FAQ

What Actually Makes a Password Strong?

Most people think a password is strong if it has symbols, numbers, and capital letters. That's partly right — but the single most important factor is length, followed by uniqueness.

Here's the math:

  • A 6-character password can be cracked in seconds even if it uses symbols
  • A 12-character random password takes years with current hardware
  • A 16+ character random password effectively cannot be cracked by brute force at all

Complexity (symbols, numbers, mixed case) adds some strength, but length is what truly matters. This is why passphrases — multiple random words — work so well.

For why passwords get cracked in the first place, read: How Passwords Get Hacked

The Passphrase Method (For Passwords You Must Remember)

For passwords you genuinely need to memorize — your master password manager password, your main email, your computer login — use a passphrase.

A passphrase is 4 or more random words strung together:

correct-horse-battery-staple

28 characters · Extremely easy to remember · Would take centuries to crack

The words must be genuinely random. Don't use phrases from songs, movies, or books. Random is the key — "correct-horse-battery-staple" is strong because no one would think to guess that specific combination. "I-love-my-dog-Buddy" is weak because it's predictable.

Use a physical die and a word list (the EFF wordlist is free and designed for this) to generate truly random passphrases, or use a password manager's built-in passphrase generator.

🔴 The Passphrase Trap

"I'll just use my passphrase everywhere" — no! Even the best passphrase becomes useless if it's leaked from one site and reused elsewhere. Passphrases are for the few passwords you must remember. For everything else, use a password manager with random generated passwords.

Why You Need a Password Manager

Here's the impossible math of modern online life: the average person has 100+ accounts online. Security requires a unique, strong password for every single one. No human can memorize 100 random 20-character passwords.

A password manager solves this completely. It:

  • Generates random, extremely strong passwords for every site
  • Stores them all in an encrypted vault that only you can unlock
  • Auto-fills them when you visit the site — so you never type passwords
  • Syncs across all your devices
  • Alerts you when a password appears in a breach
  • Flags reused or weak passwords so you can fix them

You only ever need to remember one password — your master password — and then the manager handles everything else.

The Best Password Managers in 2026

Bitwarden (Best Free Option)

Open-source, independently audited, and completely free for individuals. The free tier covers unlimited passwords, unlimited devices, and breach monitoring. There's no reason not to use it.

  • Free tier: excellent
  • Platform: Windows, Mac, Linux, iOS, Android, all major browsers
  • The fact that it's open-source means security researchers worldwide can audit the code

1Password (Best Premium Option)

The gold standard for paid password managers. Excellent UI, travel mode (hides vaults when crossing borders), Watchtower breach alerts, and exceptional family sharing. Around $3/month.

Apple Passwords (Best for Apple-Only Users)

Built into iOS 18 and macOS Sequoia as a standalone app. Free, integrates seamlessly with Apple devices, and now includes a Windows Chrome extension. Weak point: no Android support.

Setting Up Your Password Manager (Bitwarden Example)

  1. Go to bitwarden.com and create a free account
  2. Choose a strong master password (use the passphrase method above — write it down and store it safely)
  3. Install the Bitwarden browser extension for Chrome/Firefox/Edge/Safari
  4. Install the app on your phone
  5. Enable biometric unlock (Face ID / fingerprint) on mobile for convenience
  6. Start updating passwords: whenever you log in somewhere, let Bitwarden generate a new random password and save it
  7. Prioritize: email first, then banking, then social media, then everything else

Common Password Mistakes to Avoid

🔴 Stop Doing These

  • Using "clever" substitutions — P@$$w0rd, l3tm3in. Crackers have rules built specifically for these patterns.
  • Using personal information — birthdays, pet names, addresses, sports teams. Attackers research you first.
  • Adding numbers to the end — password1, password2, password2026. One of the most common patterns in cracked password lists.
  • The security question trap — "mother's maiden name" is often findable through public records or social media. Use nonsense answers stored in your password manager.
  • Texting or emailing passwords — these can be intercepted and are stored in plaintext in your messages forever.
  • Writing passwords in a document called "passwords.docx" — if an attacker gets into your computer, that's the first place they look.

FAQ

What if my password manager gets hacked?

Password managers encrypt your vault with your master password before storing it. Even if the company's servers are breached, attackers only get encrypted data — which is useless without your master password. In 2022, LastPass was breached and vaults were stolen — but users with strong master passwords were protected. (We recommend Bitwarden or 1Password over LastPass for other reasons.)

Should I write my master password down?

Yes — on paper, stored somewhere physically secure like a home safe. Not in a digital file. The threat model for paper is very different from digital: it can't be accessed remotely or harvested by malware. The risk of forgetting your master password (and losing all your passwords) outweighs the risk of someone physically finding it.

How do I check if my current passwords are compromised?

Use HaveIBeenPwned or your password manager's built-in breach monitoring. Read: How to Check if Your Email Has Been Hacked

References