Passwords 101 — why they fail and how to fix yours
Most people use passwords that can be cracked in seconds. Here's the science of why, and a simple system that actually works.
Updated 2026-04-11
Why passwords fail
The two main ways passwords are compromised: credential stuffing (attackers use leaked username/password pairs from one breach to try every other service you use), and brute-force cracking (automated tools test billions of combinations per second against stolen password hashes). Reusing passwords — even strong ones — across multiple services means a single breach cascades everywhere.
What "strong" actually means
Length beats complexity. A 20-character passphrase of random words is far stronger than a 10-character mix of symbols and numbers. Password strength is measured in entropy — the number of possible combinations an attacker must test. Four random words provide roughly 44 bits of entropy; a complex 10-character password might provide only 30–35. Modern cracking hardware can test billions of short passwords per second.
The only system that actually works: a password manager
A password manager generates and stores unique, random passwords for every site. You remember one master password; the manager handles everything else. This solves credential stuffing entirely — a breach on one site reveals nothing usable anywhere else. Reputable options include Bitwarden (open source, audited), 1Password, and Proton Pass. Keep your master password strong and backed up.
Multi-factor authentication (MFA)
MFA requires a second proof of identity beyond your password — typically a time-based code from an authenticator app. Even if an attacker has your password, they can't log in without the second factor. Enable MFA on your email account first (it's the master key to everything else), then banking, then any account with sensitive data. Prefer an authenticator app (like Ente Auth or Aegis) over SMS codes, which can be intercepted.
Ready to act on this?
We've reviewed the tools so you don't have to.