Passwords that hold

Passwords are often stolen through data breaches, not because the user is foolish. A site is hacked, and email-password lists are reused against email, banking, shopping, and social accounts. This is credential stuffing. The NCSC described 2024 Swiss cases where one leaked and reused password opened several services: for normal users, reuse is the number-one mistake. Your email password matters most, because email can reset many other accounts.

A password like "T7!qZ9@p" is hard to remember and often gets reused. A passphrase is more human: four unrelated words, for example the shape "cup-lake-window-purple". Do not use that example; make your own. Length helps. Avoid famous quotes, family names, birthdays, or football teams. If spaces are allowed, use a long phrase. If not, use hyphens or dots.

A password manager keeps a different password for every site. Examples include 1Password, Bitwarden, Apple Keychain, and Google Password Manager. This is not a promotion; choose what you will actually use. Remember one long master password, enable device lock, and accept generated passwords. The big security gain is stopping password reuse across email, bank, social, and shops.

Use Have I Been Pwned to check whether your email appears in known breaches. Enter the email, not your password. If an old service appears, change that password and any other account where you reused it. Start with email, bank, Apple ID or Google account, and main social accounts. A breached password is burned forever.