# Your Passwords Are Probably Terrible: How to Fix That Today
Let me guess. You have one or two passwords that you use across most of your accounts. They’re some combination of a word you can remember, a number (probably a year), and maybe a capital letter at the start. Something like “Chelsea2019” or “Sunshine123!”
If that’s you, don’t feel bad. You’re in the majority. But you’re also one data breach away from a very bad day.
Here’s the uncomfortable reality: hackers don’t usually “hack” your password through brute force. They steal a massive database from some company with poor security, find your email and password in it, and then try that same combination on every other service you use. If you reuse passwords, they’re into your email, your bank, your social media — everything.
The good news? Fixing this is surprisingly quick. You can go from “vulnerable” to “genuinely secure” in about an hour. Here’s exactly how.
## The Problem With Passwords in 2026
Let’s establish why this matters with some numbers.
In 2025 alone, over 17 billion records were exposed in data breaches. Not million — billion. If you’ve had an email address for more than a few years, your credentials have almost certainly been leaked at least once.
The most common passwords in 2025 were still “123456”, “password”, and “qwerty123”. Billions of dollars in cybersecurity technology, and humans are still using “password” as a password.
But even if your password is more creative than that, the real vulnerability is reuse. If you use the same password for your throwaway forum account and your primary email, a breach on the forum compromises your entire digital life.
## Step 1: Check If You’ve Already Been Breached
Before fixing anything, let’s assess the damage.
Go to [Have I Been Pwned](https://haveibeenpwned.com) and enter your email addresses. All of them. This free service, run by security researcher Troy Hunt, checks your email against known data breaches.
If your email appears in breaches (it probably will), don’t panic. It means your email address and possibly a hashed version of your password were included in a leaked database. It does NOT mean someone has accessed your accounts — but it means you should change passwords on those services immediately.
Make a note of which services were breached. Those passwords need to change first.
## Step 2: Get a Password Manager (This Is the Big One)
A password manager is a single app that generates, stores, and auto-fills unique passwords for every account you have. You remember one master password. The manager handles everything else.
This is the single biggest security improvement most people can make. Period.
### How It Works
1. Install the password manager on your devices
2. Create one strong master password (more on this below)
3. Import your existing saved passwords from your browser
4. Let the manager generate unique, complex passwords for each account
5. When you visit a site, the manager auto-fills your credentials
You never need to remember individual passwords again. Each account gets a unique, randomly generated password like `kP7#mQ9$vB2&nX5@`. No human can remember that, but they don’t need to — the manager fills it in automatically.
### Which One Should You Use?
The two I recommend are **1Password** and **Bitwarden**. Both are excellent, and the choice comes down to preference.
**1Password** is the polished option. Beautiful interface, excellent family and team sharing, Watchtower feature that alerts you to breaches and weak passwords. It’s a paid service ($3-5/month) and worth every penny.
[Try 1Password](https://arbilad.com/go/1password) — 14-day free trial, works across all devices and browsers.
**Bitwarden** is the budget-friendly option. Open source, independently audited, and has a genuinely capable free tier. The paid version ($10/year — not per month, per year) adds some convenience features but the free version covers the essentials.
[Try Bitwarden](https://arbilad.com/go/bitwarden) — free tier is surprisingly powerful; premium is $10/year.
Both sync across devices, auto-fill in browsers and apps, and generate secure passwords. You can’t go wrong with either.
### Your Master Password
This one password you DO need to remember, so it needs to be both strong and memorable. The best approach is a passphrase — four or more random words strung together.
**Good:** `correct horse battery staple` (classic example)
**Better:** `purple-elephant-dancing-Tuesday-9` (add a number and separator)
**Best:** Something equally random but personally memorable to you, that you’ve never used anywhere else
Write your master password on paper and store it somewhere physically secure (not a sticky note on your monitor). This is your backup in case you forget it.
## Step 3: Enable Two-Factor Authentication (2FA)
A password, even a great one, is a single point of failure. Two-factor authentication adds a second barrier: something you know (the password) plus something you have (usually your phone).
### Where to Enable 2FA (Priority Order)
1. **Email** — Your email is the skeleton key. If someone accesses your email, they can reset passwords for everything else. Protect it first.
2. **Banking and financial accounts** — For obvious reasons.
3. **Social media** — Account takeover on social platforms is rampant and embarrassing.
4. **Cloud storage** — Google Drive, Dropbox, iCloud — anything holding personal files.
5. **Everything else that supports it** — Shopping sites, streaming services, forums.
### Types of 2FA (Best to Worst)
**Hardware keys (best):** Physical devices like YubiKey that you plug into your computer or tap on your phone. Nearly impossible to phish. Recommended for high-value accounts.
**Authenticator apps (great):** Google Authenticator, Authy, or the built-in authenticator in 1Password/Bitwarden. Generates time-based codes on your phone. Much better than SMS.
**SMS codes (better than nothing):** A code texted to your phone number. This is the weakest form of 2FA because phone numbers can be hijacked through SIM swapping. But it’s still dramatically better than no 2FA at all.
**Email codes (barely adequate):** A code sent to your email. Only useful if your email itself is secured with a stronger method.
Start with authenticator apps for everything. If you’re high-profile or have significant financial accounts online, consider a YubiKey for those critical services.
## Step 4: The Password Audit
Now that you have a password manager, run its built-in security audit.
1Password calls it “Watchtower.” Bitwarden calls it “Vault Health Reports.” Both scan your saved passwords and flag:
– **Reused passwords** — Same password on multiple sites
– **Weak passwords** — Short, simple, or commonly used
– **Breached passwords** — Passwords found in known data leaks
– **Sites without 2FA** — Accounts where you could add 2FA but haven’t
Work through the list systematically. Change the most critical accounts first (email, banking, primary social media), then work your way down. You don’t have to fix everything in one sitting — just keep chipping away at it.
## Step 5: Common Mistakes to Stop Making
### Stop Using Your Browser’s Built-in Password Manager
Chrome, Safari, and Firefox all offer to save passwords. They’re better than nothing, but they’re significantly less secure and less feature-rich than a dedicated password manager. They don’t generate strong passwords by default, they don’t audit your security posture, and they’re tied to a single browser ecosystem.
Migrate your browser-saved passwords into 1Password or Bitwarden (both have import tools), then turn off the browser’s password saving.
### Stop Using “Security Questions” Honestly
“What’s your mother’s maiden name?” This information is often publicly available on social media. Instead, generate random answers and store them in your password manager.
Mother’s maiden name? `kT7purple$lamp`. First pet’s name? `quantum-bicycle-9`. Your password manager remembers these, and no one can guess or Google them.
### Stop Sharing Passwords Over Text or Email
If you need to share a login with someone, use your password manager’s sharing feature or a service like 1Password’s secure sharing links. Never send passwords in plain text over email, SMS, or messaging apps.
### Stop Ignoring Software Updates
Many breaches exploit known vulnerabilities in outdated software. Keep your operating system, browser, and apps updated. Enable automatic updates wherever possible.
## The Extra Credit: VPN for Public Networks
A strong password doesn’t help if someone intercepts your login on an unsecured network. If you regularly use public wifi — coffee shops, airports, hotels — a VPN encrypts your traffic so credentials can’t be intercepted in transit.
This is a complementary layer, not a replacement for good password hygiene. But if you’ve handled everything above and want the next level of protection, [a VPN is worth considering](/blog/do-you-actually-need-a-vpn).
## The 60-Minute Security Overhaul
Here’s your action plan, start to finish:
**Minutes 1-5:** Check [Have I Been Pwned](https://haveibeenpwned.com) for all your email addresses.
**Minutes 5-15:** Sign up for [1Password](https://arbilad.com/go/1password) or [Bitwarden](https://arbilad.com/go/bitwarden). Create a strong master passphrase. Install the browser extension and mobile app.
**Minutes 15-25:** Import your browser’s saved passwords into the password manager. Turn off browser password saving.
**Minutes 25-45:** Enable 2FA on your top 5 most important accounts (email, bank, social media). Use an authenticator app, not SMS.
**Minutes 45-60:** Run the password audit. Change the 5-10 most critical weak or reused passwords. Schedule time to fix the rest over the next week.
That’s it. Sixty minutes, and you’ve gone from average internet user to genuinely well-protected.
The cost? $0-5/month. The peace of mind? Considerable.
*Security doesn’t have to be complicated. [Subscribe to our newsletter](/newsletter) for weekly tips on protecting yourself online without a computer science degree.*