Good news first: you do not need to follow fifty security rules, change every password every month, or memorise strings like kX9#mQ2v. Most account break-ins happen one specific way, and three moves — doable in one evening — close that path almost completely.
How accounts actually get broken into
Attackers rarely "crack" your password by guessing it. Instead, some website you registered on years ago gets breached, its password list leaks, and automated tools then try that same email-and-password pair on hundreds of other services — banking, email, shopping, social. The industry calls it credential stuffing, and it works for one reason only: most people reuse passwords. Notice what this means. The strength of your password barely matters if you have reused it; a twenty-character masterpiece typed into two hundred sites is one breach away from opening all two hundred.
Move 1 — Make email and banking unique, tonight
Your email account is the master key to everything else, because "forgot password" links land there: whoever controls your inbox can reset their way into the rest of your life. So even if you change nothing else, give your primary email and your bank passwords that exist nowhere else on earth. Two accounts, ten minutes, and the chain reaction from any future breach stops at the door that matters.
Move 2 — Let a password manager do the remembering
Unique passwords for everything is impossible advice for a human memory — which is exactly why password managers exist. The manager generates a different random password for every site, fills it in for you, and locks the whole vault behind the one strong passphrase you do memorise. Built-in options in your browser or phone (iCloud Keychain, Google Password Manager) are perfectly good starting points; dedicated apps add sharing and cross-platform polish. The point is not which one — it is that after setup, "what's my password?" stops being your problem, and reuse disappears as a side effect.
Move 3 — Turn on two-factor for the accounts that matter
Two-factor authentication means a stolen password alone is no longer enough to get in. Enable it on email, banking, and your main social accounts. An authenticator app (or your phone's built-in prompt) is stronger than SMS codes — text messages can be intercepted through SIM-swap tricks — but SMS still beats nothing by a wide margin. And where a site offers passkeys, take them: you sign in with your face or fingerprint, there is no password to steal, and phishing pages get nothing to harvest.
The permission slip: what you can stop doing
Official guidance caught up with reality years ago, and it is more relaxed than the folklore. Current NIST guidelines — the standards US agencies follow — recommend length over forced complexity (a phrase like "coffee-horse-window-tuesday" beats "P@ssw0rd!"), and no longer recommend scheduled password changes: forced rotation just pushes people toward Password2024!, Password2025!. Change a password when there is a reason — a breach notice, a shared device, a suspicious login — not because a calendar said so.
- Tonight (20 minutes): unique passwords on email + bank, two-factor on both.
- This week: turn on the password manager, let it capture logins as you use them.
- Ongoing: when a site offers a passkey, say yes; when a breach email arrives, change that one password and any place you had reused it.
Three moves, one evening, and the attack that accounts for the bulk of real-world account takeovers finds every important door locked.