A family member recently got a threatening email which contained the password for their email account.

When they told me this had happened three days ago and they hadn’t changed their password, I got worried. I got more concerned, though, when they told me it was also the password for other online accounts!

After helping them change all of their main accounts to unique, hard(er) to guess passwords, I got inspired to write this post about good password habits. Mainly as a way for me to dump my personal approach to online security, but also so I can share this with my family and friends who want to protect their online accounts.

So, here are the fundamentals, separated by effort level required:

Level 0: have I been pwned?

Do this right now. Head over to haveibeenpwned.com and check if your email has been involved in a data breach. Then, click on “Notify me” in the top navigation bar, and register the email address(es) you use to sign up to online accounts.

This service will let you know if your email address and any related information (passwords, physical addresses, etc) are leaked, so you can take action to protect your data.

If you have been involved in a data breach, you definitely need to continue with the steps below. If you haven’t (yet), you should still continue ;)

Level 1: stronger passwords

Watch this video so you get an idea how easy it is to crack most passwords.

Your passwords should:

  • Be long (over 20 characters)
  • Be hard to guess
  • Contain numbers, lowercase and uppercase letters, and special symbols

Your passwords should not:

  • Contain personal information like your name, initials, address, city, date of birth, etc which can be easily found online.
  • Be really common passwords

The easiest way to achieve the above is to use a passphrase, which is a combination of seemingly unrelated words, optionally separated by special symbols.

To give an example, these are bad passwords:

password1
firstnamelastname
lastnamefirstname
mumname1993
madridfirstname

Try to go for slightly better passwords, like:

Carrot-Papaya4Dog!Building

Level 2: unique passwords

Create a different password for every online account you have.

Why? Because if a website you use is involved in a data breach, hackers will try to use the same email and password combination for other online accounts you have. Having different passwords contains the damage.

Keep track of all your passwords in a paper notebook you keep safe, or in an encrypted notes app like Standard Notes. If this sounds like too much work, you should use a password manager as described in level 4.

Level 3: random passwords

Make all of your passwords completely random. Not only seemingly random, but truly random. Use an online password generator tool each time you need a new password. Here are some I recommend:

Level 4: password manager

A password manager is the easiest way to achieve all previous levels of security. It allows you to generate and easily retrieve random, unique password for each of your online accounts. My personal recommendation is Bitwarden because it offers a basic free account and the software is open source and third-party audited. Other good options include 1Password and LastPass.