If you remember your passwords, they're probably bad. If you write them in a notebook, they're better — but only if no one finds the notebook. There is a third way that is both more secure and dramatically less work, and it's the same way every cybersecurity professional you've ever met handles their own accounts.
The two ways passwords actually get stolen
1. Breaches
A company you use gets hacked, and millions of email/password pairs end up for sale online. Criminals then try those same combinations on every other major service. If you reused that password anywhere — your email, your bank, your Amazon — they're in.
2. Phishing
You type your password into a site that looks like the real one but isn't. The password is captured the moment you press enter.
Notice what's not in this list: someone "guessing" your password. Length and complexity matter, but reuse is the bigger problem.
The new rule: every account gets its own password
Not similar. Not patterned. Unique. This is hard for humans and trivial for a password manager.
What a password manager actually does
It creates and stores a different long random password for every account. You remember one strong master password. The manager fills in the rest, only on the right websites — which also blocks phishing automatically.
Good password manager choices in 2025
- 1Password — Polished, family-friendly, great for non-technical users (paid).
- Bitwarden — Excellent free tier, open-source, works everywhere.
- Apple Passwords — Built into iPhone/Mac, free, fine if your family lives in Apple's ecosystem.
- Google Password Manager — Built into Chrome and Android, free, fine for the Google ecosystem.
Pick one and stop comparison shopping. The best manager is the one you actually use.
Choosing a great master password
This is the only password you have to remember, so make it count. A simple recipe that beats almost any cracking attempt:
Pick four random, unrelated words. Add a number and a symbol. Example: copper-violin-rust-yard 47! — easy to remember, brutally hard to crack.
Never reuse this password anywhere else, and never type it on a device you don't own.
Turn on two-factor authentication (the most important step)
Even if a password is stolen, two-factor authentication (2FA) blocks the attacker because they don't have your second device. Prioritize in this order:
- Your primary email — if this falls, everything else can be reset.
- Your bank and brokerage.
- Anything storing payment info (Amazon, Apple, Google).
- Social media accounts you'd hate to lose.
About SMS codes
Text-message codes are better than nothing, but phone numbers can be stolen via "SIM swap." When given the option, use an authenticator app (Google Authenticator, Authy, 1Password, Bitwarden) or a passkey. These can't be intercepted.
What about passkeys?
Passkeys are the long-awaited replacement for passwords: a cryptographic key stored on your phone or laptop that signs you in with a fingerprint or face scan. They cannot be phished or reused. If a site offers a passkey, take it.
The weekend cleanup
- Install a password manager and set a strong master password.
- Visit haveibeenpwned.com and enter your main email — see which breaches have your data.
- Change passwords on your most important 10 accounts to new, unique, manager-generated ones.
- Turn on 2FA on those 10 accounts.
- Delete old accounts you no longer use. Each one is a future leak.
Helping less-technical family members
For older parents who are nervous about a password manager, the Apple Passwords or Google built-in manager is often a gentler start. It activates automatically and only ever fills passwords on the right sites. Pair it with paper-based "emergency cards" stored in a safe place.
One last truth
You will never remember 300 strong unique passwords. You don't have to. That's the whole point.
Was this helpful? Try the free ShieldsON app — it puts an AI advisor and a trusted person one tap away when something looks fishy.