DevTools.at
Password Generator Guide

Password Best Practices

Following password best practices can prevent the majority of account compromises. These recommendations come from security researchers, industry standards, and lessons learned from countless data breaches. Implementing them significantly reduces your risk of becoming a victim.

Use a Password Manager

A password manager is the single most impactful security improvement most people can make. These tools solve the fundamental problem of password security: humans can't remember dozens of unique, complex passwords, so we reuse weak passwords instead. Password managers work by storing all your passwords in an encrypted vault, protected by one master password. When you need to log into a website, the manager auto-fills your credentials. You only need to remember the master password—all others can be randomly generated without concern for memorability. Popular password managers include Bitwarden (open source, free tier available), 1Password (excellent user experience), KeePass (local-only, maximum control), LastPass (widely used but has had security incidents), and Dashlane (good for beginners). All major browsers also include basic password managers, though dedicated tools typically offer more features and better security. Choosing a master password is critical. This is the one password you must remember, and it protects everything else. Use a long passphrase of random words (5-6 words minimum), generated randomly rather than chosen by you. Consider writing it down initially and storing the paper securely while you commit it to memory. Password managers offer additional security benefits: they detect phishing by only auto-filling on legitimate domains, they generate truly random passwords, they can audit your vault for weak or reused passwords, and they store passwords in encrypted form that's worthless even if your device is stolen. Common concerns addressed: Yes, putting "all eggs in one basket" seems risky, but a well-designed password manager with a strong master password is far more secure than the alternative of reusing weak passwords. Cloud sync is encrypted end-to-end—the service can't read your passwords. Modern managers have undergone extensive security audits. The transition takes some effort but pays dividends. Start by adding new accounts to the manager. Gradually migrate existing accounts, prioritizing critical ones like email and financial sites. Over a few weeks, you'll have all credentials managed securely.

Enable Two-Factor Authentication

Two-factor authentication (2FA) adds a critical second layer of security beyond passwords. Even if an attacker obtains your password through phishing, data breach, or other means, they still can't access your account without the second factor. The factors in 2FA are: something you know (password), something you have (phone, security key), and something you are (biometrics). True 2FA requires two different factor types. Using two passwords is not 2FA; using a password plus a code from your phone is. Authentication apps like Google Authenticator, Authy, Microsoft Authenticator, or built into 1Password generate time-based one-time passwords (TOTP). These 6-digit codes change every 30 seconds and are generated from a shared secret established when you enable 2FA. They work offline and are much more secure than SMS codes. SMS-based 2FA sends codes via text message. While better than no 2FA, SMS has vulnerabilities: SIM swapping attacks can redirect your texts to an attacker's phone, and SS7 protocol vulnerabilities allow interception. Use SMS 2FA only when better options aren't available. Hardware security keys (YubiKey, Titan, SoloKey) provide the strongest 2FA. They're physical devices that connect via USB or NFC. They're immune to phishing because they cryptographically verify the site's identity—they won't generate responses for fake sites. Security keys are recommended for high-value accounts. Backup codes are provided when you enable 2FA and should be stored securely (printed and locked away, or in your password manager). They let you recover access if you lose your second factor. Treat them as seriously as you would the password itself. Enable 2FA on all accounts that support it, prioritizing: email (gateway to resetting other accounts), financial accounts, password manager, social media (used for single sign-on), work accounts. Most major services now support 2FA—check account security settings.

Never Reuse Passwords

Password reuse is one of the most common and dangerous security mistakes. When any service is breached—and breaches happen constantly—your password for that service is exposed. Attackers immediately try those credentials on other popular services in an attack called credential stuffing. The scale of this threat is staggering. Billions of credentials from breaches are traded on dark web marketplaces. Attackers automate login attempts across hundreds of services. If you used the same password for a gaming forum (breached) and your email (high value), your email is compromised. Compromised email is particularly devastating. Most password resets go to email, so email access means access to everything. Attackers can reset passwords on your bank, shopping sites, social media, and more. Protect your email with a unique password and 2FA. The argument against reuse is mathematical. If you use one password on 50 services, and there's a 5% annual chance of any service being breached, there's a 92% chance of your password being exposed within 5 years. With unique passwords, each breach only compromises that one service. The only practical way to maintain unique passwords is using a password manager. Humans simply cannot remember dozens of unique strong passwords. Trying to leads to patterns and variations that attackers exploit (Password1, Password2, Password2023, etc.). Checking for breaches is essential. Visit haveibeenpwned.com and enter your email addresses to see if they appear in known breaches. If they do, change those passwords immediately and any accounts where you (regrettably) used the same password. Consider setting up alerts for future breaches. When you discover a reused password, prioritize changing: your email first (to prevent reset attacks), financial accounts, any accounts with payment information, social media (used for OAuth/single sign-on), work accounts. A password manager can audit for reuse.

Check for Breaches

Data breaches are inevitable—companies with massive security budgets still get hacked. Your strategy should assume some of your credentials will eventually be exposed and plan accordingly with monitoring, unique passwords, and rapid response. Have I Been Pwned (haveibeenpwned.com) is the essential resource for breach checking. Enter any email address to see if it appears in known breaches. The service is free, operated by respected security researcher Troy Hunt, and contains data from over 12 billion breached accounts. Check all your email addresses. Setting up breach notifications is crucial. Have I Been Pwned offers free notification when your email appears in new breaches. Firefox Monitor provides similar functionality. 1Password and some other password managers include breach monitoring. These alerts let you respond quickly rather than discovering breaches months or years later. When you discover you're in a breach: immediately change the password for that service, check if you (unfortunately) used that password elsewhere and change those too, review account activity for signs of unauthorized access, enable 2FA if you haven't, consider what data might be exposed and take appropriate precautions. Password-specific searches: Have I Been Pwned also lets you check if specific passwords have appeared in breaches (without revealing the password to the service). This is useful when auditing your password manager. Any password that appears in breaches should be changed immediately—attackers use breach data in password dictionaries. Corporate breaches require different responses. If you're notified of a breach by a service you use, take their notification seriously. Change your password even if they say it wasn't compromised—they may not know the full extent. Be alert for phishing attempts that follow major breach announcements; attackers exploit the confusion. Regular security audits should be routine. Quarterly, review your password manager for weak passwords, reused passwords, and passwords for accounts in known breaches. Most managers include audit features. Update any problems found. This proactive approach catches issues before attackers exploit them.

Try Password Generator

Put this knowledge into practice

Use Password Generator

Related Articles

Password Entropy

Password strength is often measured subjectively—we look at a password and guess whether it's 'strong' or 'weak.' Entropy provides an objective, mathematical measure of password strength that helps you make informed security decisions. This guide explains entropy in practical terms.

← Back to Password Generator Guide