You’re reading this, which means you probably have somewhere between 50 and 200 online accounts. Email, banking, social media, streaming services, that one forum you signed up for in 2014 to ask a question about your dishwasher and never went back to. Each one requires a password. And if you’re being honest — truly, painfully honest — at least half of them use the same one.
Don’t worry. Almost everyone does it. A recent study found that the average person reuses the same password across at least five different accounts. The most popular password in the world is still “123456,” followed closely by “password.” We’ve had twenty-five years of internet security awareness campaigns, and we’ve collectively decided that our cat’s name plus the year we were born is sufficient protection for our entire digital lives.
The problem isn’t that we’re stupid. The problem is that the system is broken. We’ve been told to create passwords that are “at least 12 characters long, with uppercase and lowercase letters, numbers, and special symbols.” So we create something like “Tr0ub4dor&3” — a password that’s hard for humans to remember and trivially easy for computers to crack.
Here’s why: modern password-cracking software doesn’t try random combinations. It uses dictionaries of common substitutions. It knows that people replace “a” with “@” and “o” with “0” and “s” with “$”. It knows that most people put the capital letter at the beginning and the number at the end. Your clever substitutions are about as clever as hiding your house key under the doormat.
A better approach, recommended by security researchers and even the National Institute of Standards and Technology, is the passphrase method. Instead of one complex word, use four or five random words strung together. “correct horse battery staple” is orders of magnitude harder to crack than “Tr0ub4dor&3” and infinitely easier to remember. The math is straightforward: a four-word passphrase drawn from a dictionary of 7,000 common words has roughly 2,400 times more possible combinations than an eight-character password using the full set of letters, numbers, and symbols.
But even passphrases don’t solve the fundamental problem: you can’t remember a unique one for each of your 150 accounts. This is where password managers come in, and where most people’s eyes glaze over.
A password manager is a digital vault that stores all your passwords behind one master password. You remember one strong passphrase, and the software remembers everything else. It generates random, unique passwords for each site — strings of characters that no human would ever create or remember. It fills them in automatically when you need them.
The objection I hear most often is: “But what if someone hacks my password manager?” It’s a fair question. The answer is that reputable password managers encrypt your data locally before it ever touches their servers. Even if someone breaks into the company’s database, all they get is encrypted gibberish. Your master password never leaves your device.
The real objection, the one people don’t say out loud, is laziness. Setting up a password manager takes about twenty minutes. Migrating your existing passwords takes an afternoon. It’s tedious, unglamorous work that provides no immediate dopamine hit. It’s the digital equivalent of flossing: everyone knows they should do it, almost nobody does, and we all pretend we’ll start next week.
Here’s my pitch: spend one Sunday afternoon setting it up. Import your saved passwords from your browser. Let the manager flag the ones that are weak or reused. Change them one by one, starting with email and banking. It will take a few hours. It will be boring. And it will be the single most impactful thing you do for your digital security this year.
Your cat’s name deserves better than to be a password.